Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
  /*
   * =============================================================================
   * 
   *   Copyright (c) 2007, The JASYPT team (http://www.jasypt.org)
   * 
   *   Licensed under the Apache License, Version 2.0 (the "License");
   *   you may not use this file except in compliance with the License.
   *   You may obtain a copy of the License at
   * 
  *       http://www.apache.org/licenses/LICENSE-2.0
  * 
  *   Unless required by applicable law or agreed to in writing, software
  *   distributed under the License is distributed on an "AS IS" BASIS,
  *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *   See the License for the specific language governing permissions and
  *   limitations under the License.
  * 
  * =============================================================================
  */
 package org.jasypt.springsecurity;
 

This class implements the Spring Security (ACEGI) org.acegisecurity.providers.encoding.PasswordEncoder interface, allowing Spring Security-enabled applications to use JASYPT for password encryption.

Objects of this class will internally hold either an object of type org.jasypt.util.password.PasswordEncryptor or an object of type org.jasypt.digest.StringDigester (only one of them), which should be set by respectively calling setPasswordEncryptor(org.jasypt.util.password.PasswordEncryptor) or setStringDigester(org.jasypt.digest.StringDigester) after creation. If neither a PasswordEncryptor nor a StringDigester are set, a new org.jasypt.util.password.BasicPasswordEncryptor object is created and internally used.

Important: This implementation ignores any salt provided through the interface methods, as the internal Jasypt PasswordEncryptor or StringDigester objects normally use a random one. This means that salt can be safely passed as null.

Usage with a PasswordEncryptor

This class can be used like this from your Spring XML resource files:

  ...
  <!-- Your application may use the PasswordEncryptor in several places, --> 
  <!-- like for example at new user sign-up.                             --> 
  <bean id="jasyptPasswordEncryptor" class="org.jasypt.util.password.StrongPasswordEncryptor" />
  ...
  ...
  <!-- This Spring Security-friendly PasswordEncoder implementation will -->
  <!-- wrap the PasswordEncryptor instance so that it can be used from   -->
  <!-- the security framework.                                           -->
  <bean id="passwordEncoder" class="org.jasypt.springsecurity.PasswordEncoder">
    <property name="passwordEncryptor">
      <ref bean="jasyptPasswordEncryptor" />
    </property>
  </bean>
  ...
  ...
  <!-- Your DaoAuthenticationProvider will then use it like with any     -->
  <!-- other implementation of the PasswordEncoder interface.            -->
  <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="passwordEncoder">
        <ref bean="passwordEncoder" />
      </property>
  </bean>
  ...
 

Usage with a StringDigester

This class can be used like this from your Spring XML resource files:

  ...
  <!-- Your application may use the StringDigester in several places,    --> 
  <!-- like for example at new user sign-up.                             --> 
  <bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester" >
    <property name="algorithm" value="SHA-1" />
    <property name="iterations" value="100000" />
  </bean>
  ...
  ...
  <!-- This Spring Security-friendly PasswordEncoder implementation will -->
  <!-- wrap the StringDigester instance so that it can be used from      -->
  <!-- the security framework.                                           -->
  <bean id="passwordEncoder" class="org.jasypt.springsecurity.PasswordEncoder">
    <property name="stringDigester">
      <ref bean="jasyptStringDigester" />
    </property>
  </bean>
  ...
  ...
  <!-- Your DaoAuthenticationProvider will then use it like with any     -->
  <!-- other implementation of the PasswordEncoder interface.            -->
  <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="userDetailsService"/>
      <property name="passwordEncoder">
        <ref bean="passwordEncoder" />
      </property>
  </bean>
  ...
 

This class is thread-safe

Author(s):
Daniel Fernández Garrido
Since:
1.2
public class PasswordEncoder 
        implements org.acegisecurity.providers.encoding.PasswordEncoder {
    // The password encryptor or string digester to be internally used
    private PasswordEncryptor passwordEncryptor = null;
    private StringDigester stringDigester = null;
    private Boolean useEncryptor = null;
    
    
    
Creates a new instance of PasswordEncoder
    public PasswordEncoder() {
        super();
    }
    

    
Sets a password encryptor to be used. Only one of setPasswordEncryptor or setStringDigester should be called. If both are, the last call will define which method will be used.

Parameters:
passwordEncryptor the password encryptor instance to be used.
    public void setPasswordEncryptor(PasswordEncryptor passwordEncryptor) {
        this. = passwordEncryptor;
        this. = .;
    }

    
Sets a string digester to be used. Only one of setPasswordEncryptor or setStringDigester should be called. If both are, the last call will define which method will be used.

Parameters:
stringDigester the string digester instance to be used.
    public void setStringDigester(StringDigester stringDigester) {
        this. = stringDigester;
        this. = .;
    }

    
    
Encodes a password. This implementation completely ignores salt, as jasypt's PasswordEncryptor and StringDigester normally use a random one. Thus, it can be safely passed as null.

Parameters:
rawPass The password to be encoded.
salt The salt, which will be ignored. It can be null.
    public String encodePassword(String rawPassObject salt) {
        checkInitialization();
        if (this..booleanValue()) {
            return this..encryptPassword(rawPass);
        } else {
            return this..digest(rawPass);
        }
    }


    
Checks a password's validity. This implementation completely ignores salt, as jasypt's PasswordEncryptor and StringDigester normally use a random one. Thus, it can be safely passed as null.

Parameters:
encPass The encrypted password (digest) against which to check.
rawPass The password to be checked.
salt The salt, which will be ignored. It can be null.
    public boolean isPasswordValid(String encPassString rawPassObject salt) {
        checkInitialization();
        if (this..booleanValue()) {
            return this..checkPassword(rawPassencPass);
        } else {
            return this..matches(rawPassencPass);
        }
    }
    /*
     * Checks that the PasswordEncoder has been correctly initialized
     * (either a password encryptor or a string digester has been set).
     */
    private synchronized void checkInitialization() {
        if (this. == null) {
            this. = new BasicPasswordEncryptor();
            this. = .;
        } else {
            if (this..booleanValue()) {
                if (this. == null) {
                    throw new EncryptionInitializationException(
                            "Password encoder not initialized: password " +
                            "encryptor is null");
                }
            } else {
                if (this. == null) {
                    throw new EncryptionInitializationException(
                            "Password encoder not initialized: string " +
                            "digester is null");
                }
            }
        }
    }
    
New to GrepCode? Check out our FAQ X