From ffbcaca24a1a396115474e49053b556f1e894c3d Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Wed, 12 Oct 2022 07:22:58 -0400 Subject: [PATCH] Update reference for PasswordEncoders Issue gh-10506 --- .../authentication/password-storage.adoc | 28 ++++++++++++------- .../features/integrations/cryptography.adoc | 4 +-- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/docs/modules/ROOT/pages/features/authentication/password-storage.adoc b/docs/modules/ROOT/pages/features/authentication/password-storage.adoc index b11441c501..38b016fc07 100644 --- a/docs/modules/ROOT/pages/features/authentication/password-storage.adoc +++ b/docs/modules/ROOT/pages/features/authentication/password-storage.adoc @@ -93,8 +93,12 @@ String idForEncode = "bcrypt"; Map encoders = new HashMap<>(); encoders.put(idForEncode, new BCryptPasswordEncoder()); encoders.put("noop", NoOpPasswordEncoder.getInstance()); -encoders.put("pbkdf2", new Pbkdf2PasswordEncoder()); -encoders.put("scrypt", new SCryptPasswordEncoder()); +encoders.put("pbkdf2", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_5()); +encoders.put("pbkdf2@SpringSecurity_v5_8", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8()); +encoders.put("scrypt", SCryptPasswordEncoder.defaultsForSpringSecurity_v4_1()); +encoders.put("scrypt@SpringSecurity_v5_8", SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8()); +encoders.put("argon2", Argon2PasswordEncoder.defaultsForSpringSecurity_v5_2()); +encoders.put("argon2@SpringSecurity_v5_8", Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8()); encoders.put("sha256", new StandardPasswordEncoder()); PasswordEncoder passwordEncoder = @@ -108,8 +112,12 @@ val idForEncode = "bcrypt" val encoders: MutableMap = mutableMapOf() encoders[idForEncode] = BCryptPasswordEncoder() encoders["noop"] = NoOpPasswordEncoder.getInstance() -encoders["pbkdf2"] = Pbkdf2PasswordEncoder() -encoders["scrypt"] = SCryptPasswordEncoder() +encoders["pbkdf2"] = Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_5() +encoders["pbkdf2@SpringSecurity_v5_8"] = Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8() +encoders["scrypt"] = SCryptPasswordEncoder.defaultsForSpringSecurity_v4_1() +encoders["scrypt@SpringSecurity_v5_8"] = SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8() +encoders["argon2"] = Argon2PasswordEncoder.defaultsForSpringSecurity_v5_2() +encoders["argon2@SpringSecurity_v5_8"] = Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8() encoders["sha256"] = StandardPasswordEncoder() val passwordEncoder: PasswordEncoder = DelegatingPasswordEncoder(idForEncode, encoders) @@ -363,7 +371,7 @@ The current implementation of the `Argon2PasswordEncoder` requires BouncyCastle. [source,java,role="primary"] ---- // Create an encoder with all the defaults -Argon2PasswordEncoder encoder = new Argon2PasswordEncoder(); +Argon2PasswordEncoder encoder = Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8(); String result = encoder.encode("myPassword"); assertTrue(encoder.matches("myPassword", result)); ---- @@ -372,7 +380,7 @@ assertTrue(encoder.matches("myPassword", result)); [source,kotlin,role="secondary"] ---- // Create an encoder with all the defaults -val encoder = Argon2PasswordEncoder() +val encoder = Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8() val result: String = encoder.encode("myPassword") assertTrue(encoder.matches("myPassword", result)) ---- @@ -392,7 +400,7 @@ This algorithm is a good choice when FIPS certification is required. [source,java,role="primary"] ---- // Create an encoder with all the defaults -Pbkdf2PasswordEncoder encoder = new Pbkdf2PasswordEncoder(); +Pbkdf2PasswordEncoder encoder = Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8(); String result = encoder.encode("myPassword"); assertTrue(encoder.matches("myPassword", result)); ---- @@ -401,7 +409,7 @@ assertTrue(encoder.matches("myPassword", result)); [source,kotlin,role="secondary"] ---- // Create an encoder with all the defaults -val encoder = Pbkdf2PasswordEncoder() +val encoder = Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8() val result: String = encoder.encode("myPassword") assertTrue(encoder.matches("myPassword", result)) ---- @@ -420,7 +428,7 @@ Like other adaptive one-way functions, it should be tuned to take about 1 second [source,java,role="primary"] ---- // Create an encoder with all the defaults -SCryptPasswordEncoder encoder = new SCryptPasswordEncoder(); +SCryptPasswordEncoder encoder = SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8(); String result = encoder.encode("myPassword"); assertTrue(encoder.matches("myPassword", result)); ---- @@ -429,7 +437,7 @@ assertTrue(encoder.matches("myPassword", result)); [source,kotlin,role="secondary"] ---- // Create an encoder with all the defaults -val encoder = SCryptPasswordEncoder() +val encoder = SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8() val result: String = encoder.encode("myPassword") assertTrue(encoder.matches("myPassword", result)) ---- diff --git a/docs/modules/ROOT/pages/features/integrations/cryptography.adoc b/docs/modules/ROOT/pages/features/integrations/cryptography.adoc index c91c882d0a..192acbbe71 100644 --- a/docs/modules/ROOT/pages/features/integrations/cryptography.adoc +++ b/docs/modules/ROOT/pages/features/integrations/cryptography.adoc @@ -251,7 +251,7 @@ In order to defeat password cracking PBKDF2 is a deliberately slow algorithm and [source,java,role="primary"] ---- // Create an encoder with all the defaults -Pbkdf2PasswordEncoder encoder = new Pbkdf2PasswordEncoder(); +Pbkdf2PasswordEncoder encoder = Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8(); String result = encoder.encode("myPassword"); assertTrue(encoder.matches("myPassword", result)); ---- @@ -260,7 +260,7 @@ assertTrue(encoder.matches("myPassword", result)); [source,kotlin,role="secondary"] ---- // Create an encoder with all the defaults -val encoder = Pbkdf2PasswordEncoder() +val encoder = Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8() val result: String = encoder.encode("myPassword") assertTrue(encoder.matches("myPassword", result)) ----