Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-04-17 06:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Deprecate BCrypt.gensalt() without SecureRandom parameter

Browse Source 
Creating a new SecureRandom instance on every call causes
unnecessary performance overhead. This change:

- Deprecates BCrypt.gensalt(String, int) method
- Modifies BCryptPasswordEncoder constructors to create
  and reuse SecureRandom instances
- Maintains backward compatibility

All existing tests pass.

Closes gh-17824

Signed-off-by: Yerin Lee <rt8632@naver.com>
This commit is contained in:
Yerin Lee 2026-01-22 23:17:17 +09:00 committed by Josh Cummings
parent 6d20e02173
commit d4f49a5b43
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
View File

@ -716,7 +716,12 @@ public class BCrypt {
* factor therefore increases as 2**log_rounds.
* @return an encoded salt value
* @exception IllegalArgumentException if prefix or log_rounds is invalid
* @deprecated since 6.4 in favor of {@link #gensalt(String, int, SecureRandom)}.
* Creating a new {@code SecureRandom} instance on every invocation incurs significant
* performance overhead. Use {@link #gensalt(String, int, SecureRandom)} with a reusable
* {@code SecureRandom} instance instead.
*/
@Deprecated(since = "6.4", forRemoval = false)
public static String gensalt(String prefix, int log_rounds) throws IllegalArgumentException {
return gensalt(prefix, log_rounds, new SecureRandom());
}

8
crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
View File

@ -47,21 +47,21 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
private final @Nullable SecureRandom random;
public BCryptPasswordEncoder() {
this(-1);
this(-1, new SecureRandom());
}
/**
* @param strength the log rounds to use, between 4 and 31
*/
public BCryptPasswordEncoder(int strength) {
this(strength, null);
this(strength, new SecureRandom());
}
/**
* @param version the version of bcrypt, can be 2a,2b,2y
*/
public BCryptPasswordEncoder(BCryptVersion version) {
this(version, null);
this(version, new SecureRandom());
}
/**
@ -85,7 +85,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
* @param strength the log rounds to use, between 4 and 31
*/
public BCryptPasswordEncoder(BCryptVersion version, int strength) {
this(version, strength, null);
this(version, strength, new SecureRandom());
}
/**