Also deprecate BCrypt.gensalt(int) without SecureRandom parameter

- Deprecates BCrypt.gensalt(int) method Closes gh-17824 Signed-off-by: Yerin Lee <rt8632@naver.com>
2026-04-17 14:30:27 +00:00 · 2026-02-05 16:03:49 +09:00 · 2026-02-05 16:03:49 +09:00 · 7c31eb58ac
commit 7c31eb58ac
parent d4f49a5b43
1 changed files with 5 additions and 0 deletions
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
@ -744,7 +744,12 @@ public class BCrypt {
 	 * factor therefore increases as 2**log_rounds.
 	 * @return an encoded salt value
 	 * @exception IllegalArgumentException if log_rounds is invalid
+	 * @deprecated since 6.4 in favor of {@link #gensalt(int, SecureRandom)}.
+	 * Creating a new {@code SecureRandom} instance on every invocation incurs significant
+	 * performance overhead. Use {@link #gensalt(int, SecureRandom)} with a reusable
+	 * {@code SecureRandom} instance instead.
 	 */
+	@Deprecated(since = "6.4", forRemoval = false)
 	public static String gensalt(int log_rounds) throws IllegalArgumentException {
 		return gensalt(log_rounds, new SecureRandom());
 	}