[JAVA] Hash passwords with Spring Boot + Spring Security (with salt, with stretching)

Spring Security's Password Encoder makes it easy to generate salted + stretched hash values. This article is a sample.

environment

JDK:1.8 Spring Boot:1.5.3.RELEASE Spring Security:4.2.2.RELEASE

Spring Security PasswordEncoder Class Diagram It may be hard to see, but the class diagram of PasswordEncoder of Spring Security 4.2.2.RELEASE is as follows.

Spring Security PasswordEncoder Class Diagram1.png

There are six implementation classes for the PasswordEncoder interface.

PasswordEncoder implementation class Overview
AbstractPasswordEncoder -
NoOpPasswordEncoder Encoder without hashing(for test)
Pbkdf2PasswordEncoder Implementation of PasswordEncoder using PBKDF2 with configurable number of iterations and random 8-byte random salt value
StandardPasswordEncoder SHA-256 algorithms+Encoder that hashes with 1024 stretches
BCryptPasswordEncoder Encoder that performs hashing with the bcrypt algorithm
SCryptPasswordEncoder Encoder that performs hashing with the scrypt algorithm

In this article, I will use BCryptPasswordEncoder for hashing.

Hashing with BCryptPasswordEncoder

Add a Spring Security dependency.

pom.xml


<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-config</artifactId>
</dependency>

This time, CommandLineRunner is implemented as CLI.

SpringBootEncodeApplication.java


package com.example;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@SpringBootApplication
public class SpringBootEncodeApplication implements CommandLineRunner {

	@Autowired
	PasswordEncoder passwordEncoder;

	public static void main(String[] args) {
		SpringApplication.run(SpringBootEncodeApplication.class, args);
	}

	@Bean
	PasswordEncoder passwordEncoder() {
		return new BCryptPasswordEncoder();
	}

	@Override
	public void run(String... args) {

		String password = "#fe?3d31";
		String digest = passwordEncoder.encode(password);
		System.out.println("Hash value= " + digest);

		if (passwordEncoder.matches(password, digest)) {
			System.out.println("It matched");
			return;
		}
		System.out.println("It didn't match");
	}
}

Hash the plaintext password (password) using the PasswordEncoder's encode method. The hashed result is digest. Then use PasswordEncoder's matches method to match the plaintext password (password) with the hash value (digest) obtained by the encode method.

Execution result.


Hash value= $2a$10$im98CLRwtWohvPE6wZkYk.Os.RXZVF0iROJXL8vUn7TGrfWoixTdq
It matched

How to read the hash value

The hash value generated above is as follows.

$2a$10$im98CLRwtWohvPE6wZkYk.Os.RXZVF0iROJXL8vUn7TGrfWoixTdq

The view is as follows.

Character location String Overview
1st to 3rd characters $2a The version number of bcrypt.
4th to 6th characters $10 Stretching frequency(Number of iterations of hashing operation)Will be. The number of times is 2 to the nth power. Therefore, in this example, 2^10=It will be 1024 times.
7th to 29th characters $im98CLRwtWohvPE6wZkYk. Salt value.
30th to last Os.RXZVF0iROJXL8vUn7TGrfWoixTdq Password body.

As mentioned above, you can use Spring Security's PasswordEncoder to generate salt + stretched hash values, and you can easily match them with plaintext passwords.

Recommended Posts

Hash passwords with Spring Boot + Spring Security (with salt, with stretching)
Achieve BASIC authentication with Spring Boot + Spring Security
Try LDAP authentication with Spring Security (Spring Boot) + OpenLDAP
[Introduction to Spring Boot] Authentication function with Spring Security
Download with Spring Boot
Create Spring Cloud Config Server with security with Spring Boot 2.0
Spring Security usage memo: Cooperation with Spring MVC and Boot
Spring Boot with Spring Security Filter settings and addictive points
Implement a simple Rest API with Spring Security with Spring Boot 2.0
Handle passwords hashed with BCryptPasswordEncoder in Spring Security in Perl
Create a simple demo site with Spring Security with Spring Boot 2.1
Generate barcode with Spring Boot
Implement GraphQL with Spring Boot
Get started with Spring boot
Hello World with Spring Boot!
Run LIFF with Spring Boot
SNS login with Spring Boot
File upload with Spring Boot
Spring Boot starting with copy
Login function with Spring Security
Spring Boot starting with Docker
Hello World with Spring Boot
Set cookies with Spring Boot
Use Spring JDBC with Spring Boot
Add module with Spring Boot
Getting Started with Spring Boot
Try using Spring Boot Security
Create microservices with Spring Boot
Send email with spring boot
Implement a simple Rest API with Spring Security & JWT with Spring Boot 2.0
Use Basic Authentication with Spring Boot
gRPC on Spring Boot with grpc-spring-boot-starter
Implemented authentication function with Spring Security ③
Create an app with Spring Boot 2
Hot deploy with Spring Boot development
Database linkage with doma2 (Spring boot)
Spring Boot Tutorial Using Spring Security Authentication
Spring Boot programming with VS Code
Until "Hello World" with Spring Boot
Inquiry application creation with Spring Boot
Implemented authentication function with Spring Security ①
Get validation results with Spring Boot
(Intellij) Hello World with Spring Boot
Create an app with Spring Boot
Google Cloud Platform with Spring Boot 2.0.0
Check date correlation with Spring Boot
I tried GraphQL with Spring Boot
[Java] LINE integration with Spring Boot
Beginning with Spring Boot 0. Use Spring CLI
I tried Flyway with Spring Boot
Authentication / authorization with Spring Security & Thymeleaf
Message cooperation started with Spring Boot
Spring Boot gradle build with Docker
I implemented an OAuth client with Spring Boot / Security (LINE login)
Part 1: Try using OAuth 2.0 Login supported by Spring Security 5 with Spring Boot
Processing at application startup with Spring Boot
How to read Body of Request multiple times with Spring Boot + Spring Security
Hello World with Eclipse + Spring Boot + Maven
Send regular notifications with LineNotify + Spring Boot
Perform transaction confirmation test with Spring Boot
DB authentication with Spring Security & hashing with BCrypt