Commit Graph

241 Commits

Author SHA1 Message Date
linfeng 388a7b62b9 Add BCrypt Revision Support
Fixes: gh-3320
2018-10-22 11:13:55 -05:00
Vedran Pavic cb0ba58b58 Fix WhitespaceAfterCheck Checkstyle check 2018-08-27 10:45:35 -05:00
Johnny Lim e945f3bf82 Fix typo
Closes #5579
2018-08-03 09:58:01 -05:00
Rob Winch 02b857d82a Add PasswordEncoder.upgradeEncoding
Issue: gh-2778
2018-07-14 22:52:15 -05:00
Johnny Lim 9b42831c70 Suppress deprecation warnings in spring-security-crypto 2018-05-04 21:02:57 -05:00
Rob Winch 0a5da93640 Improve PasswordEncoder deprecated notices
Fixes: gh-5296
2018-05-03 15:13:06 -05:00
Rob Winch b1d013e8f0 Fix JDK 9
Issue: gh-5160
2018-03-27 09:30:56 -05:00
Alexander Münch a622a92001 Fix: Typo in DelegatingPasswordEncoder's Javadoc 2018-01-30 10:07:49 -06:00
Rob Winch 22737dce7e Polish
DelegatingPasswordEncoder copies the provided Map. This ensures that
references to the Map do not update the state of DelegatingPasswordEncoder
and NullPointerException is avoided for implementations that do not allow
a null key.

Issue: gh-4936
2018-01-03 10:11:04 -06:00
Michael J. Simons 2b66793535 Catch possible NullPointerException
Some maps may throw a NullPointerException when get is called with null. This commit catches the exceptions and just leaves the delegate null.

Fixes gh-4936
2018-01-03 09:46:58 -06:00
Rob Winch e5b41f30ea Fix DelegatingPasswordEncoderTests
Issue: gh-4872
2017-11-27 12:01:31 -06:00
Rob Winch f558b5016c DelegatingPasswordEncoder handles null encodedPassword
Fixes: gh-4872
2017-11-27 11:42:56 -06:00
Johnny Lim b6895e6359 Apply Checkstyle WhitespaceAfterCheck module 2017-11-16 11:18:31 -06:00
Rob Winch e17272c633 Polish 2017-11-16 10:33:59 -06:00
Johnny Lim d900f2a623 Remove unused imports
This commit also adds UnusedImportsCheck Checkstyle module.
2017-11-14 14:41:08 -06:00
Antoine e0aca04a28 Polish AssertJ assertions
Polish AssertJ assertions
2017-10-29 22:22:34 -05:00
Joris Portegies Zwart de9fe3e3b1 Fix the JavaDoc for Pbkdf2PasswordEncoder so that it uses the actual values for default hash width and number of iterations 2017-10-29 21:08:38 -05:00
Kazuki Shimizu a7ba02bdef Polishing the Pbkdf2PasswordEncoder's javadoc 2017-10-24 12:49:01 -05:00
Rob Winch 6532bac295 Update Md4PasswordEncoder Javadoc
Include format and migration information.

Issue: gh-4674
2017-10-24 10:23:38 -05:00
Rob Winch 03ebf19878 Update MessageDigestPasswordEncoder javadoc
Include format and migration information

Issue: gh-4674
2017-10-24 10:23:27 -05:00
Rob Winch 870b8bf9b2 Pbkdf2PasswordEncoder supports Base64 encoding
Fixes gh-4683
2017-10-24 08:47:04 -05:00
Rob Winch fe8f3afbaf Pbkdf2PasswordEncoder allows custom SecretKeyFactory
Fixes gh-2742
2017-10-24 08:34:30 -05:00
Rob Winch d832213c6c Add ldap to PasswordEncoderFactories
Issue: gh-4674
2017-10-24 07:56:28 -05:00
Rob Winch d83f4c4aa5 Add SHA-256 to PasswordEncoderFactories
Issue: gh-4674
2017-10-24 07:56:28 -05:00
Rob Winch 5f2785d39c Add SHA-1 to PasswordEncoderFactories
Issue: gh-4674
2017-10-24 07:56:28 -05:00
Rob Winch 63e061f4d1 Add MD5 to PasswordEncoderFactories
Issue: gh-4674
2017-10-24 07:56:28 -05:00
Rob Winch 7fe41de5eb Add MD4 to PasswordEncoderFactories
Issue: gh-4674
2017-10-24 07:56:28 -05:00
Rob Winch 3a4a32e654 Remove LdapShaPasswordEncoder from core
Issue: gh-4674
2017-10-24 07:56:20 -05:00
Rob Winch 1ed1716df4 Add LdapShaPasswordEncoder to crypto
Issue: gh-4674
2017-10-23 22:27:16 -05:00
Rob Winch d9a594d039 Add Md4PasswordEncoder to crypto
Issue: gh-4674
2017-10-23 22:27:16 -05:00
Rob Winch 8fda55e98f Add MessageDigestPasswordEncoder to crypto
Issue: gh-4674
2017-10-23 22:27:16 -05:00
Rob Winch 7b282b54c8 Deprecate StandardPasswordEncoder
Issue: gh-2776
2017-10-23 22:27:16 -05:00
Rob Winch a0e9eb3a64 Deprecate NoOpPasswordEncoder
Issue: gh-2776
2017-10-23 22:27:16 -05:00
Rob Winch b66ea9ab94 Allow Digester iterations to update
Fixes gh-4676
2017-10-23 22:27:16 -05:00
Kazuki Shimizu 2937477405 Polishing
See gh-4666
2017-10-23 08:36:24 -05:00
Kazuki Shimizu c7f4160e04 Fix Javadoc of PasswordEncoderFactories#createDelegatingPasswordEncoder
See gh-4666
2017-10-22 11:54:32 -05:00
Rob Winch d152a2e2c1 Add PasswordEncoderFactories
Issue gh-4666
2017-10-20 13:26:17 -05:00
Rob Winch d0332eb71a Add DelegatingPasswordEncoder
Fixes gh-4666
2017-10-20 13:26:17 -05:00
Rob Winch d7d6400971 DefaultStateGenerator->Base64StringKeyGenerator
Rename and move DefaultStateGenerator since it is more generic than just
OAuth.

Fixes gh-4645
2017-10-18 11:29:04 -05:00
Rob Winch e16b8e7976 Fix logback-test.xml 2017-08-17 16:42:01 -05:00
Rob Winch 07c3123696 Deprecate crypto.codec.Base64
In commit 85719fc Base64 was removed. However, this class was never
deprecated properly. This commit adds it back and marks it as deprecated.

Fixes gh-4421
2017-06-26 09:21:00 -05:00
Rob Winch d81b436e5d Remove pom.xml from build
Gradle is easy enough to import into IDEs, so pom.xml should no
longer be necessary.

This commit removes the pom.xml files from the build.

Fixes gh-4283
2017-05-11 14:32:36 -05:00
Vedran Pavic 85719fcd64 Use Base64 implementation provided by Java 8 2017-05-10 00:27:36 -05:00
Rob Winch 861e7994ff crypto uses spring-jcl 2017-05-09 02:35:46 -05:00
Rob Winch dd6fc48dd8 Standardize Build
The build now uses spring build conventions to simplify the build

Fixes gh-4284
2017-04-21 10:55:05 -05:00
Joe Grandja 2ce174dbf0 Update poms to 5.0.0.BUILD-SNAPSHOT 2017-04-07 16:49:50 -04:00
Rob Winch d2524eadfc Update poms to new to SNAPSHOT version 2017-03-02 09:20:34 -06:00
Spring Buildmaster 081f0c4d94 Release version 4.2.2.RELEASE 2017-03-02 07:29:42 +00:00
SendilKumar N c31bdb6390 SCryptPasswordEncoder to take default keyLength value
Fixes gh-4225
Closes gh-4231
2017-03-01 23:11:52 -06:00
Spring Buildmaster 7a7ce11ebb Release version 4.2.1.RELEASE 2016-12-21 17:23:28 +00:00
Rob Winch bb834bccf6 Polish Exception Message
Polish Exception message for bad salt in BCrypt

Issue gh-4147
2016-12-06 08:45:08 -06:00
Jan Brennenstuhl 09436649cc handling null-values for salts properly now - fixes gh-4147 2016-12-06 08:43:19 -06:00
Spring Buildmaster 24fcb6c45a Release version 4.2.0.RELEASE 2016-11-09 23:42:11 +00:00
Spring Buildmaster 97b4cb0b73 Release version 4.2.0.RC1 2016-10-26 02:49:23 +00:00
Spring Buildmaster c1b8150439 Release version 4.2.0.M1 2016-09-23 19:39:33 +00:00
Rob Winch 4d02a5c0a0 Update pom.xml dependencies 2016-08-30 11:27:29 -05:00
Kazuki Shimizu a1f771251a Improve exception message on Hex#decode
Fixes gh-4043
2016-08-29 15:10:39 -04:00
Spring Buildmaster 919f000c80 Release version 4.1.1.RELEASE 2016-07-07 00:57:35 +00:00
Rob Winch 8f880aea0e Polish Pbkdf2PasswordEncoder
Issue gh-3930
2016-06-21 11:47:50 -05:00
vitaliy_kuzmich 5f658b3ffc Remove double salt in Pbkdf2PasswordEncoder
Issue gh-3930
2016-06-21 11:44:23 -05:00
Eddú Meléndez a2ead4cf7a Polish
Fixes gh-3892
2016-06-20 12:35:43 -05:00
Rob Winch 2d6051625f Update pom.xml 2016-06-17 14:30:11 -05:00
Kim Saabye Pedersen 9fcfeaf225 BCryptPasswordEncoder validates strength
Fixes gh-3862
2016-05-20 14:54:26 -05:00
Spring Buildmaster 001b05569a Release version 4.1.0.RELEASE 2016-05-05 04:25:46 +00:00
Spring Buildmaster 24d0069668 Release version 4.1.0.RC2 2016-04-21 01:47:25 +00:00
Will Tran b01437281d Bouncy Castle 1.47 Support
This forces us to avoid using CipherOutputStream, and instead use the
BlockCiphers directly. As an extra measure for correctness, test the
equivalence of the BC implementations against data sizes from 1 to 2048
bytes.

Fixes gh-2917
2016-04-18 08:35:57 -05:00
Will Tran 44fa624b6b Refactor test assumptions about JCE to common class. (#3817)
Apply assumptions directly to test methods instead of checking for key
length in crypto.gradle.
2016-04-14 17:02:31 -05:00
Will Tran 40208127e8 Skip tests when AesBytesEncryptor can't be created in CBC or GCM mode. (#3816)
Tests would fail in cases where JCE unlimited strength was available but
GCM wasn't, like on JDK7.
2016-04-14 15:21:20 -05:00
Will Tran 63b2cfe1cf Bouncy Castle implementations of AES-256
Adds "AES/CBC/PKCS5Padding" and "AES/GCM/NoPadding"

Fixes gh-2917
2016-04-13 16:28:55 -05:00
Rob Winch 95a3e30d9f Polish Pbkdf2PasswordEncoder
Fixes gh-2158
Fixes gh-51
2016-04-12 17:16:38 -05:00
Rob Worsnop 0ab7126e64 Added PBKDF2PasswordEncoder.
- Also moved some logic into a new class, AbstractPasswordEncoder.
Both PBKDF2PasswordEncoder and the now-simplified
StandardPasswordEncoder extend AbstractPasswordEncoder.
 - Added tests for PBKDF2PasswordEncoder

Issue gh-2158
2016-04-12 17:16:38 -05:00
Joe Grandja b90242f2fa Updates all POM versions to 4.1.0 snapshot build.
Fixes gh-3804
2016-04-12 10:35:43 -04:00
Spring Buildmaster 044acf7e27 Release version 4.1.0.RC1 2016-03-23 07:15:15 -07:00
Rob Winch ec4e6c7453 Update pom.xml to 4.1.0.BUILD-SNAPSHOT 2016-03-14 00:51:35 -05:00
Rob Winch f221920a19 Clean up code to conform to basic checkstyle
Issue gh-3746
2016-03-14 00:15:12 -05:00
Billy Korando 71d4ce96ad Convert to assertj
Fixes gh-3175
2016-03-09 14:30:17 -06:00
Rob Winch bb600a473e Start AssertJ Migration
Issue gh-3175
2016-03-09 14:26:30 -06:00
Rob Winch a7b0f74803 bcprov-jdk15on -> bcpkix-jdk150n
This fixes the Spring IO checks since bcprov-jdk15on is not part of Spring
IO platform.

Issue gh-3702
2016-03-03 14:34:23 -06:00
Rob Winch 8fbc7e0d2c Fix SCryptPasswordEncoder javadoc
Issue gh-3702
2016-03-03 14:18:50 -06:00
Rob Winch fc75a679d9 Polish SCryptPasswordEncoder
* JKD8 Base64 -> Spring Security's Base64 to continue to support older JDKs
* Spaces to tabs
* Javadoc cleanup
* Remove of @Override to compile in Eclipse

Issue gh-3702
2016-03-03 14:06:08 -06:00
Shazin 7d02e259df Add SCryptPasswordEncoder
Fixes gh-3702
2016-03-03 10:24:29 -06:00
Rob Winch 69274d9aa8 SEC-2521: Improve StandardPasswordEncoder performance 2015-10-27 11:20:24 -05:00
zhanhb 29f2cc0ab1 snasphot -> snapshot 2015-09-25 15:28:39 -05:00
Rob Winch 8cc9108601 Merge pull request #209 from raindev/patch-1
Remove unused imports from SecureRandomBytesKeyGenerator
2015-08-06 08:54:09 -05:00
Rob Winch 969f3a7d1b Update pom.xml to latest snapshots 2015-08-03 09:46:01 -05:00
Thomas Darimont ad1d858e2b SEC-3056 - Fix JavaDoc errors.
Fixed JavaDoc errors accross multiple modules in order to make javadoc happy with Java 8.
2015-08-03 08:02:24 -05:00
Rob Winch e8c9f75f9c Update pom.xml to latest versions 2015-07-22 12:51:04 -05:00
Andrew Barchuk 3832647ecf Remove unused imports 2015-07-14 16:35:11 +03:00
Rob Winch 3db01bd9d6 SEC-3002: Add JUnit Assume to GCM encryption tests
Not all JDKs have GCM installed on them.
2015-07-13 16:22:18 -05:00
Dave Syer a48cc18858 SEC-3002: Add new option for AES encryption with GCM
The Galois Counter Mode (GCM) is held to be superior than the current
default CBC. This change adds an extra parameter to the constructor
of AesBytesEncryptor and a new convenience method in Encryptors.
2015-07-09 23:27:33 -05:00
Rob Winch d5dfeeca49 SEC-2927: Update chat-jc pom so Maven Builds
Previously there were some incorrect dependency versions. This commit fixes
that.

We added dependencyManagement for Spring Framework and corrected
Thymeleaf and embedded redis versions.
2015-04-20 15:53:26 -05:00
Rob Winch db531d9100 SEC-2917: Update to Spring 4.1.6 2015-03-25 15:18:59 -05:00
Rob Winch ae6af5d73c SEC-2915: Updated Java Code Formatting 2015-03-25 13:09:18 -05:00
Rob Winch 0a2e496a84 SEC-2915: groovy/gradle spaces->tabs 2015-03-25 13:08:59 -05:00
Rob Winch cf9f58a4ac SEC-2915: XML spaces->tabs 2015-03-25 13:08:52 -05:00
Rob Winch 706e7fd7a2 SEC-2863: Update to Spring 4.1.5 2015-02-20 11:43:04 -06:00
Rob Winch 8f0001f59a Next Development Version 2014-12-11 20:39:26 -06:00
Spring Buildmaster 49b69196de Release version 4.0.0.RC1 2014-12-11 20:36:55 -06:00
Rob Winch 11116c2b80 SEC-2787: Update Versions 2014-12-10 16:37:19 -06:00
Rob Winch b56e5edbbd SEC-2784: Fix build plugins 2014-12-08 14:24:34 -06:00
Rob Winch dfa17bdb98 SEC-2747: Remove spring-core dependency from spring-security-crypto 2014-11-20 16:16:22 -06:00
Rob Winch 3187ee8bf3 SEC-2700: Register WithSecurityContextTestExecutionListener by default 2014-08-15 16:41:33 -05:00
Rob Winch b72c1ad314 SEC-2686: Create SecurityMockMvcConfigurer 2014-07-22 15:11:37 -05:00
Rob Winch 00e1094178 Add springio-platform plugin 2014-04-23 14:35:22 -05:00
Rob Winch 3118e39de8 SEC-2542: Use exclusions to remove duplicate dependencies
A number of projects had duplicate dependencies on their classpaths
as a result of the same classes being available in more than one
artifact, each with different Maven coordinates. Typically this only
affected the tests, but meant that the actual classes that were
loaded was somewhat unpredictable and had the potential to vary
between an IDE and the command line depending on the order in which
the aritfacts appeared on the classpath. This commit adds a number of
exclusions to remove such duplicates.

In addition to the new exclusions, notable other changes are:

 - Spring Data JPA has been updated to 1.4.1. This brings its
   transitive dependency upon spring-data-commons into line with
   Spring LDAP's and prevents both spring-data-commons-core and
   spring-data-commons from being on the classpath
 - All Servlet API dependencies have been updated to use the official
   artifact with all transitive dependencies on unofficial servlet API
   artifacts being excluded.
 - In places, groovy has been replaced with groovy-all. This removes
   some duplicates caused by groovy's transitive dependencies.
 - JUnit has been updated to 4.11 which brings its transitive Hamcrest
   dependency into line with other components.

There appears to be a bug in Gradle which means that some exclusions
applied to an artifact do not work reliably. To work around this
problem it has been necessary to apply some exclusions at the
configuration level

Conflicts:
	samples/messages-jc/pom.xml
2014-04-02 09:47:26 -05:00
Rob Winch 9988fa141c Update Spring Security version in pom.xml 2014-03-06 08:13:52 -06:00
Rob Winch 6be4e3a9fc SEC-2506: Remove Bundlor Support 2014-03-05 13:32:16 -06:00
Rob Winch de4ed136ea Fix spring4 test 2014-02-19 16:13:30 -06:00
Rob Winch 7f99a2dfbb SEC-2487: Update to Spring 3.2.8.RELEASE 2014-02-19 09:30:40 -06:00
Rob Winch ec8b48150d SEC-2474: Update poms 2014-02-07 17:01:11 -06:00
Rob Winch a34178bc40 SEC-2434: Update to Spring 3.2.6 and Spring 4.0 GA 2013-12-12 08:16:59 -06:00
Rob Winch 4460e84b29 Updates to pom.xml author and repo 2013-12-09 08:57:30 -06:00
Rob Winch 2c8946c406 Next development version 2013-11-01 14:20:55 -05:00
Spring Buildmaster 9c703a3051 Release version 3.2.0.RC2 2013-11-01 14:20:49 -05:00
Rob Winch 88f41cdf62 SEC-2341: Update to Gradle 1.8
Some dependencies were necessary to update due to issues with JUnit
integration.
2013-09-24 15:35:51 -05:00
Rob Winch 3d2f23602f SEC-2294: Update Spring Version to 3.2.4.RELEASE 2013-08-31 11:26:43 -05:00
Rob Winch aca2e4ff3a SEC-2289: Add spring4Test 2013-08-27 16:43:10 -05:00
Rob Winch 976d9a9016 SEC-2194: Polish java config sample apps 2013-08-08 14:33:54 -05:00
Rob Winch 5e6ca12b01 SEC-2097: Update integrationTestCompile to use optional and provided
Also update slf4j version and remove explicit commons-logging from pom generation
2013-07-16 15:59:06 -05:00
Rob Winch 02551e1b7a SEC-2214: Update Spring Version 2013-07-16 15:15:47 -05:00
Rob Winch faa8b354b7 SEC-2209: add pom.xml 2013-07-16 15:15:47 -05:00
Luke Taylor 743960d2d8 SEC-2122: Fix broken integration tests.
Modified BCryptPasswordEncoder to no longer throw an
IllegalArgumentException when the encoded password is empty or
the incorrect format for bcrypt. Instead it now logs a warning
that non bcrypt data was found.

The Dms integration tests were failing after being changed to
use bcrypt and this fixes the issue.
2013-05-21 23:13:08 +01:00
Luke Taylor d6524feb62 SEC-2122: Change doc to prioritize bcrypt use 2013-05-17 18:42:47 +01:00
Rob Winch 4fabe939d0 SEC-2035: Add template.mf to crypto 2012-08-17 14:13:56 -05:00
Rob Winch a6bded86c2 SEC-1990: Polishing code cleanup on BCrypt
- Formatting
 - Renamed test to be BCryptTests to better align with Spring Security's naming conventions
2012-07-05 14:12:14 -05:00
Joseph Walton 14a5135ac3 SEC-1990: Clean up jBCrypt and include its tests.
Merge in changes from jBCrypt.
- Use a ByteArrayOutputStream to cache bytes.
- Pass a StringBuilder into encode_base64.
- Refactor string comparison into its own method.
- General clean up.
2012-07-05 14:04:39 -05:00
Luke Taylor 3760d792ea SEC-1890: Add checks for validity of stored bcrypt hash
When checking for a match, the BCryptPasswordEncoder validates
the stored hash against a pattern to check that it actually is
a bcrypt value.
2012-02-22 14:36:13 +00:00
Dave Syer 8565116f20 SEC-1472: Add crypto wrappers for BCrypt 2011-11-02 18:10:19 +00:00
Luke Taylor 45d938566c Some tests for Base64 encoding. 2011-08-12 19:44:27 +01:00
Luke Taylor 89b7b2b935 SEC-1764: Remove use of Java 6 method Arrays.copyOfRange. 2011-06-15 11:22:17 +01:00
Luke Taylor e27f655e9d SEC-1689: Re-instate crypto as separate library (for use in non-Spring Security apps), as well as packaging with core. 2011-06-10 00:01:25 +01:00
Luke Taylor 50828cdd43 SEC-1689: Move crypto module code to core for simplicity. 2011-03-10 18:58:47 +00:00
Rob Winch 8c08eeb57b SEC-1666: Use constant time comparison for sensitive data.
Constant time comparison helps to mitigate timing attacks. See the following link for more information

 * http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
 * http://en.wikipedia.org/wiki/Timing_attack for more information.
2011-01-31 23:03:51 -06:00
Rob Winch 2e822e9abe SEC-1659: Ensure that Digester is returning digest(digest(value)...) instead of digesting the same value multiple times.
Make it so that the Digester returns digest(digest(value)...) instead of digesting the same value multiple times. This
alligns with the OWASP recommendations at http://www.owasp.org/index.php/Hashing_Java#Hardening_against_the_attacker.27s_attack
2011-01-30 22:30:01 -06:00
Luke Taylor 6b1b012e2c Added check for maximum AES key size in crypto.gradle to skip tests if limited strength crypto policy files are in place. 2011-01-20 02:13:33 +00:00
Luke Taylor 594f6694bb Add logging of jdk version to crypto build file 2011-01-20 01:31:30 +00:00
Luke Taylor d686f64f26 Skip EncryptorsTests when using <JDK 1.6 as AES isn't available 2011-01-19 23:43:13 +00:00
Luke Taylor 162cb64baa SEC-1659: Label crypto utils package as only for internal use. 2011-01-19 18:19:58 +00:00
Keith Donald b646e44646 SEC-1659: fixed bundlor step of build 2011-01-19 18:17:03 +00:00
Keith Donald ea76efdb2c SEC-1659: favor AES encryption instead of DES as standard symmetric encryption algorithm 2011-01-19 18:17:02 +00:00
Keith Donald ffa7301e7f SEC-1569: initial commit of spring-security-crypto module, consisting of encrypt, keygen, password, and util packages 2011-01-19 18:17:02 +00:00