From a5dc48f9d963ba54507f37da95771df3efaa7540 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Thu, 3 May 2018 15:13:06 -0500 Subject: [PATCH] Improve PasswordEncoder deprecated notices Fixes: gh-5296 --- .../org/springframework/security/core/userdetails/User.java | 2 ++ .../security/crypto/password/LdapShaPasswordEncoder.java | 3 ++- .../security/crypto/password/Md4PasswordEncoder.java | 3 ++- .../crypto/password/MessageDigestPasswordEncoder.java | 3 ++- .../security/crypto/password/StandardPasswordEncoder.java | 5 +++-- 5 files changed, 11 insertions(+), 5 deletions(-) diff --git a/core/src/main/java/org/springframework/security/core/userdetails/User.java b/core/src/main/java/org/springframework/security/core/userdetails/User.java index f1f1a68c66..140e8c885e 100644 --- a/core/src/main/java/org/springframework/security/core/userdetails/User.java +++ b/core/src/main/java/org/springframework/security/core/userdetails/User.java @@ -326,6 +326,8 @@ public class User implements UserDetails, CredentialsContainer { * @deprecated Using this method is not considered safe for production, but is * acceptable for demos and getting started. For production purposes, ensure the * password is encoded externally. See the method Javadoc for additional details. + * There are no plans to remove this support. It is deprecated to indicate + * that this is considered insecure for production purposes. */ @Deprecated public static UserBuilder withDefaultPasswordEncoder() { diff --git a/crypto/src/main/java/org/springframework/security/crypto/password/LdapShaPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/password/LdapShaPasswordEncoder.java index 8288d801c0..6babace267 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/password/LdapShaPasswordEncoder.java +++ b/crypto/src/main/java/org/springframework/security/crypto/password/LdapShaPasswordEncoder.java @@ -39,7 +39,8 @@ import java.util.Base64; * @deprecated Digest based password encoding is not considered secure. Instead use an * adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or * SCryptPasswordEncoder. Even better use {@link DelegatingPasswordEncoder} which supports - * password upgrades. + * password upgrades. There are no plans to remove this support. It is deprecated to indicate + * that this is a legacy implementation and using it is considered insecure. */ @Deprecated public class LdapShaPasswordEncoder implements PasswordEncoder { diff --git a/crypto/src/main/java/org/springframework/security/crypto/password/Md4PasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/password/Md4PasswordEncoder.java index 4ee0861173..c8e3fe7333 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/password/Md4PasswordEncoder.java +++ b/crypto/src/main/java/org/springframework/security/crypto/password/Md4PasswordEncoder.java @@ -73,7 +73,8 @@ import java.util.Base64; * @deprecated Digest based password encoding is not considered secure. Instead use an * adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or * SCryptPasswordEncoder. Even better use {@link DelegatingPasswordEncoder} which supports - * password upgrades. + * password upgrades. There are no plans to remove this support. It is deprecated to indicate + * that this is a legacy implementation and using it is considered insecure. */ @Deprecated public class Md4PasswordEncoder implements PasswordEncoder { diff --git a/crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java index 52ba365e12..250bbae5aa 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java +++ b/crypto/src/main/java/org/springframework/security/crypto/password/MessageDigestPasswordEncoder.java @@ -76,7 +76,8 @@ import java.util.Base64; * @deprecated Digest based password encoding is not considered secure. Instead use an * adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or * SCryptPasswordEncoder. Even better use {@link DelegatingPasswordEncoder} which supports - * password upgrades. + * password upgrades. There are no plans to remove this support. It is deprecated to indicate + * that this is a legacy implementation and using it is considered insecure. */ @Deprecated public class MessageDigestPasswordEncoder implements PasswordEncoder { diff --git a/crypto/src/main/java/org/springframework/security/crypto/password/StandardPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/password/StandardPasswordEncoder.java index d9d028c125..974f618bb9 100644 --- a/crypto/src/main/java/org/springframework/security/crypto/password/StandardPasswordEncoder.java +++ b/crypto/src/main/java/org/springframework/security/crypto/password/StandardPasswordEncoder.java @@ -41,9 +41,10 @@ import org.springframework.security.crypto.keygen.KeyGenerators; * @author Keith Donald * @author Luke Taylor * @deprecated Digest based password encoding is not considered secure. Instead use an - * adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or + * adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or * SCryptPasswordEncoder. Even better use {@link DelegatingPasswordEncoder} which supports - * password upgrades. + * password upgrades. There are no plans to remove this support. It is deprecated to indicate + * that this is a legacy implementation and using it is considered insecure. */ @Deprecated public final class StandardPasswordEncoder implements PasswordEncoder {