OK, this encryption mechanism is very complex, or to see better understanding:
3.1. The new Passwordencoder inheritance relationship in version 0
After the Spring-security 3.1.0 release, the password package in the Spring-security-crypto module provides support for a more cryptographically encrypted password, which also has a Passwordencoder interface, which is defined as follows.
Java code
- public interface passwordencoder{
- string Encode (string rawpassword);
- Boolean Matches (String rawpassword,string Encodedpassword);
- }
Two methods are defined, and the Encode method encrypts the method, and the match method is used to verify that the password and password are consistent and returns true if it is consistent. Compared to the Passwordencoder interface in the Authentication.encoding package, many are simplified.
Located in the Org.springframeword.security.crypto.password package
The Standardpasswordencoder class, which is the (unique) implementation class of the Passwordencoder interface, is the core of the encryption method described in this article. It uses the SHA-256 algorithm, iterates 1024 times, encrypts the original password using a key (Site-wide secret) and 8-bit random salts.
Random salts ensure that the same password is used multiple times, the resulting hash is different, the key should be separated from the password to store, encryption with a key can be, the hash algorithm 1024 times the implementation of enhanced security, so that the brute force is more difficult.
compared with the previous version of Passwordencoder, the benefits are obvious: The salt value is not provided by the user, randomly generated each time, multiple encryption ———— iterative SHA algorithm + key + random salt to encrypt the password, greatly increasing the difficulty of password cracking.
OK, here's how we can test it:
Java code
- import org.springframework.security.crypto.password.PasswordEncoder;
- import org.springframework.security.crypto.password.StandardPasswordEncoder;
-
- /**
- * @author Xuyi
- * Spring Security 3.1 passwordencoder
- */
- Public class Encryptutil {
- //obtained from the configuration file
- private static final String Site_wide_secret = "My-secret-key";
- private static final passwordencoder encoder = new standardpasswordencoder ( /c0>
- Site_wide_secret);
-
- Public static string Encrypt (string rawpassword) {
- return encoder.encode (Rawpassword);
- }
-
- Public static boolean match (string Rawpassword, string password) {
- return encoder.matches (rawpassword, password);
- }
-
- Public static void main (string[] args) {
- System.out.println (Encryptutil.encrypt ("Each time the results are not the same)");
- System.out.println (Encryptutil.encrypt ("Each time the results are not the same)");
- System.out.println (Encryptutil.encrypt ("Each time the results are not the same)");
- System.out.println (Encryptutil.encrypt ("Each time the results are not the same)");
- System.out.println (Encryptutil.encrypt ("Each time the results are not the same)");
- //But take each result out to match and you'll find that you can get true.
- }
- }
Powerful cryptographic tools in Spring Security 3.1 passwordencoder