Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Add password4j implementation of PasswordEncoder #17825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mehrdadbozorgmehr wants to merge 5 commits into spring-projects:main
base: main
Choose a base branch
Loading
from mehrdadbozorgmehr:gh-17706

Conversation

Copy link

@mehrdadbozorgmehr mehrdadbozorgmehr commented Aug 30, 2025
edited
Loading

Closes gh-17706

Copy link
Author

Here is my PR. I’d really appreciate any feedback or suggestions for improvements.
Thanks for your time and guidance 🙏
@rwinch

@mehrdadbozorgmehr mehrdadbozorgmehr changed the title (削除) Add Password4jPasswordEncoder for enhanced password hashing support (削除ここまで) (追記) Add password4j implementation of PasswordEncoder (追記ここまで) Sep 4, 2025
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your PR @mehrdadbozorgmehr!

I've provided feedback inline. Once those get addressed, we will want to discuss updating the documentation.

mehrdadbozorgmehr reacted with thumbs up emoji
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great progress! Thanks again for your PR.

I've added a few inline comments. Please also add documentation to docs/modules/ROOT/pages/features/authentication/password-storage.adoc and docs/modules/ROOT/pages/features/whats-new.adoc

mehrdadbozorgmehr reacted with heart emoji
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While we can reuse it as a base class for most of the algorithms, it looks like a single Password4jPasswordEncoder will not be possible. I've provided some feedback inline.

PS: Sorry for finding this late and reverting some of my previous feedback.

Copy link
Author

Thanks for pointing this out. I’ve updated the design by making Password4jPasswordEncoder abstract and introducing algorithm-specific subclasses for the working implementations. I’ve also implemented a PBKDF2-specific encoder and Balloon hashing in this PR with proper salt handling.

@rwinch , please let me know if any additional adjustments are required.

@rwinch rwinch added in: crypto An issue in spring-security-crypto type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 12, 2025
@rwinch rwinch self-assigned this Sep 12, 2025
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the changes. Overall they look good. Please:

  • Rebase to resolve the conflict
  • Add documentation including a whats-new.adoc entry that links to the newly added documentation
  • Create two tickets:
    • For the password4j implementations supporting upgradeEncoding method
    • For the password4j implementations being able to match on the same algorithm when the algorithm contains different parameters. This can be done by using the static getInstanceFromHash(String) method on the implementation (e.g. BcryptFunction.getInstanceFromHash(String)). Note that not all implementations will be able to support this because not all hashes include the parameters in the resulting hash.

mehrdadbozorgmehr reacted with thumbs up emoji 
...hm selection and enhance documentation
Closes spring-projectsgh-17706
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
Add Password4jPasswordEncoder for enhanced password hashing support
Signed-off-by: M.Bozorgmehr <m.bozorgmehr@emofid.com>
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
Add Password4jPasswordEncoder for enhanced password hashing support
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
Signed-off-by: Mehrdad <mehrdad.bozorgmehr@gmail.com>
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
...hm selection and enhance documentation
Closes spring-projectsgh-17706
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
Signed-off-by: Mehrdad <mehrdad.bozorgmehr@gmail.com>
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
...ibrary
Closes spring-projectsgh-17706
Signed-off-by: Mehrdad <mehrdad.bozorgmehr@gmail.com>
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
...rd encoders using Password4j library
Closes spring-projectsgh-17706
Signed-off-by: Mehrdad <mehrdad.bozorgmehr@gmail.com>
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
...BCrypt, Scrypt, PBKDF2, and Balloon hashing
Closes spring-projectsgh-17706
Signed-off-by: M.Bozorgmehr <mehrdad.bozorgmehr@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch Awaiting requested review from rwinch

Labels
in: crypto An issue in spring-security-crypto type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add password4j implementation of PasswordEncoder

AltStyle によって変換されたページ (->オリジナル) /