Commit Graph

249 Commits

Author SHA1 Message Date
Tim te Beek 9df9cb5aed refactor: AssertJ best practices
Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/bGVuS?organizationId=RGVmYXVsdA%3D%3D

Co-authored-by: Moderne <team@moderne.io>
2023-09-12 16:18:14 -06:00
Krzysztof Krason 9b603b99ab Using modern Java features 2023-06-22 11:24:25 -06:00
Joe Grandja ed6a7f7730 Remove deprecated constructors in PasswordEncoders
Closes gh-11985
2022-10-12 02:38:25 -04:00
Joe Grandja 7af111cd33 Merge branch '5.8.x' 2022-10-12 01:28:01 -04:00
Joe Grandja c50441b59f Update default configuration for Pbkdf2PasswordEncoder
The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.

Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256

New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256

The default salt length was also updated from 8 to 16.

Closes gh-10506, Closes gh-10489
2022-10-12 00:45:10 -04:00
Joe Grandja f8419003eb Update default configuration for SCryptPasswordEncoder
The recommended minimums for scrypt, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.

Previous default configuration:
cpuCost=16384, memoryCost=8, parallelism=1

New default configuration:
cpuCost=65536, memoryCost=8, parallelism=1

The default salt length was also updated from 64 to 16.

Issue gh-10506
2022-10-12 00:14:07 -04:00
Joe Grandja 2ea62d0f8b Update default configuration for Argon2PasswordEncoder
The recommended minimums for Argon2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.

Previous default configuration:
memory=4, iterations=3, parallelism=1

New default configuration:
memory=16, iterations=2, parallelism=1

Issue gh-10506
2022-10-11 18:04:37 -04:00
Rob Winch d996c2a2c6 Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)`
This method is insecure. Users should instead encrypt with their database.

Closes gh-8980
2022-09-07 13:51:58 -05:00
Rob Winch 2fb625db84 Remove mockito deprecations
Issue gh-11748
2022-08-23 15:59:52 -05:00
Josh Cummings ba0f8ec3ef
Correct input validation for 31 rounds
Closes gh-11470
2022-07-11 14:06:15 -06:00
Josh Cummings 3f13fa0285
Improve Upgrading
Closes gh-11259
2022-07-11 14:06:04 -06:00
Jihoon Cha af7f943325
Prevent instantiation of DelegatingPasswordEncoder if idPrefix contains idSuffix
Closes gh-10933
2022-04-05 09:16:44 -05:00
Rob Winch 0c201565fc Fix format DelegatingPasswordEncoder 2021-11-16 13:32:15 -06:00
Rob Winch 582629c087 Rename prefix/suffix in DelegatingPasswordEncoder
Issue gh-10273
2021-11-16 13:16:37 -06:00
heowc 399cf2e59d Support for changing prefix and suffix in `DelegatingPasswordEncoder`
Closes gh-10273
2021-11-16 13:16:37 -06:00
Marcus Da Coregio 02b2fcc6f0 Restore ManagementConfigurationPlugin
Issue gh-9615
2021-10-05 11:23:29 -03:00
Marcus Da Coregio d2e5f2ae0d Update Gradle to 7.2
Closes gh-9615
2021-10-04 15:19:40 -03:00
heowc 84d173c310 Fix typo 2021-09-27 10:55:18 -03:00
heowc 7b73b94198 Fix typo 2021-09-22 16:29:50 -06:00
Rob Winch f73f213f50 Remove DependencySetPlugin
Closes gh-10070
2021-07-12 15:31:38 -05:00
Rob Winch 793cd71a5e Remove remaining junit code 2021-07-09 15:57:21 -05:00
Rob Winch 3e93b024d6 openrewrite Junit Migration 2021-07-09 14:32:52 -05:00
Eleftheria Stein 204a32aba8 Replace < and > with &lt and &gt in Javadoc
Closes gh-9847
2021-06-04 12:26:07 +03:00
Prashant Tholia 3c33535681 Update javadoc for AesBytesEncrytor constructors
Update AesBytesEncryptor constructors' javadoc to:
1. mention default IV length and encryption mode,
2. provide links to appropriate constructors that allow users to
specify custom IV and encryption mode.

Related to gh-3879 and gh-9361
2021-04-05 13:49:29 -06:00
Prashant Tholia 67fdac1db1 Fix Encryptors.java javadoc
Fix link issue in 'See Also' section of Encryptors.standard method
2021-04-05 12:33:27 -06:00
Rob Winch 60d3db5798 add management platform(project(":spring-security-dependencies"))
Closes gh-9540
2021-04-05 10:36:36 -05:00
Manousos Mathioudakis d948528b7b Add javadoc at constructors.
Closes gh-9361

Signed-off-by: Manousos Mathioudakis <manoumathioudakis@yahoo.gr>
2021-03-26 16:00:52 -05:00
Eleftheria Stein 4a492846f1 Revert "Lock dependencies for 2.5.0-M3"
This reverts commit f05cc6269c.
2021-03-15 23:18:45 +01:00
Eleftheria Stein f05cc6269c Lock dependencies for 2.5.0-M3 2021-03-15 11:00:19 +01:00
Josh Cummings c4be1c6a56
Revert "Lock Dependencies"
This reverts commit a85caa4098.
2021-02-11 15:49:59 -07:00
Josh Cummings a85caa4098
Lock Dependencies 2021-02-11 15:00:38 -07:00
Loic Guibert 050e4a98b4 Fix javadoc in Pbkdf2PasswordEncoder
- Add @author Loïc Guibert
- Add @since 5.5 to new constructors

See PR gh-9147
2020-11-25 11:45:21 -07:00
Loic Guibert ad489495dc Make salt length configurable in Pbkdf2PasswordEncoder
Add constructors with a salt length input parameter.
Default salt length is still 8-byte long like before when
saltGenerator was initialized with call to
KeyGenerators#secureRandom() which use
SecureRandomBytesKeyGenerator#DEFAULT_KEY_LENGTH.

Closes gh-4372
2020-11-11 10:12:17 -06:00
Joe Grandja b95e1aa209 Revert "Lock dependencies for 5.5.0-M1"
This reverts commit 25a7482c8c.
2020-11-03 19:53:28 -05:00
Rob Winch 25a7482c8c Lock dependencies for 5.5.0-M1 2020-10-30 17:52:03 -05:00
Phillip Webb c502312719 Replace expected @Test attributes with AssertJ
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb 20baa7d409 Replace ExpectedException @Rules with AssertJ
Replace JUnit ExpectedException @Rules with AssertJ calls.
2020-09-22 16:13:51 -06:00
uy-rrodriguez d9276ed8f3 Quick javadoc fix for DelegatingPasswordEncoder
Quick fix for the javadoc of `UnmappedIdPasswordEncoder` in `DelegatingPasswordEncoder.java`, which appeared incomplete.
2020-09-21 08:05:05 -04:00
Joe Grandja 7b1f574769 Revert "Lock Dependency Versions for 5.4.0"
This reverts commit 3d0e459182.
2020-09-09 18:14:12 -04:00
Joe Grandja 3d0e459182 Lock Dependency Versions for 5.4.0 2020-09-09 13:45:03 -04:00
Rob Winch a662a5593e Polish crypto format
Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 319d3364aa Migrate to assertThatExceptionOfType
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb a5aa6b3d7f Remove blank lines from all tests
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb da22e97147 Polish spring-security-crypto main code
Manually polish `spring-security-crypto` following the formatting
and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d3f039f76 Reduce method visibility when possible
Reduce method visibility for package private classes when possible.

In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 01d90c9881 Hide utility class constructors
Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ff94944313 Add whitespace after copyright header
Add an additional lines after the copyright header and before the
`package` declaration. This aligns with the style used by Spring
Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 31ec450d05 Remove superfluous comments
Remove a few comments that previously add noise but don't offer a great
deal of value.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d80166aaf Update exception variable names
Consistently use `ex` for caught exception and `cause` for Exception
constructor arguments.

Issue gh-8945
2020-08-24 17:33:08 -05:00