In the latest released version 5 Spring Security, the security considerations of adjusted PasswordEncoder implementation and usage policies.
1. The previously used to achieve StandardPasswordEncoder, MessageDigestPasswordEncoder, StandardPasswordEncoder no longer recommended, plus a whole @Deprecated, and there are specific instructions
Recommended BCryptPasswordEncoder, Pbkdf2PasswordEncoder, SCryptPasswordEncoder etc.
2. Increase PasswordEncoderFactories class provides a static method createDelegatingPasswordEncoder () method to create an implementation PasswordEncoder, use of entrustment
In the implementation of this method in fact used BCryptPasswordEncoder as the default implementation (I think this is Spring Security team recommended it).
3. Change encryption-salt (salt value) before use, usually in the salt value specified himself, a configuration example as follows:
In the new use, the salt will be achieved by the implementation class to process (e.g., using randomly generated values), to achieve the described BCryptPasswordEncoder
As shown, when encryption is performed using a salt value or a randomly generated by the specified strength, random to generate.
For example old password admin, and are twice as result of the encryption bcrypt
$2a$10$OEaUDkvTlWY/BpoAL7f.H.X7Cz9x3OR3pfWv5wasidP4B7izvyRy6
$2a$10$BBFV5eyg4YoBLThOzi1bDO0WYDBCzcLq3ISokgzxCB/CM0YTXHrha
Which also has the effect of salt.
The above is the use of a change in Spring Security 5 PasswordEncoder summary, I hope useful to you.
Of course, you can use more secure encryption based on Spring Security classes offered to extend their PasswordEncoder achieve
Original Address: http: //andaily.com/blog/ p = 927?