Package org.eclipse.hono.auth

Class SpringBasedHonoPasswordEncoder

  • All Implemented Interfaces:
    HonoPasswordEncoder
    public class SpringBasedHonoPasswordEncoder
extends Object
implements HonoPasswordEncoder
    A Spring Security based password encoder.

    The encoder supports matching of password hashes that have been created using one of the following hash functions:

    • sha-256
    • sha-512
    • bcrypt using the 2a salt format

    The encoder uses BCrypt for encoding passwords with a reasonable number of iterations.

    • Field Detail

      • DEFAULT_BCRYPT_STRENGTH

        public static final int DEFAULT_BCRYPT_STRENGTH
        The default Bcrypt strength setting.
        See Also:
        Constant Field Values

    • Constructor Detail

      • SpringBasedHonoPasswordEncoder

        public SpringBasedHonoPasswordEncoder()
        Creates a new encoder.

        This constructor will create a new SecureRandom as follows:

        1. try to create a SecureRandom using algorithm NativePRNGNonBlocking
        2. if that fails, create a default SecureRandom, i.e. without specifying an algorithm
        and then invoke SpringBasedHonoPasswordEncoder(SecureRandom, int).
        See Also:
        "https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/", "https://hackernoon.com/hack-how-to-use-securerandom-with-kubernetes-and-docker-a375945a7b21"

      • SpringBasedHonoPasswordEncoder

        public SpringBasedHonoPasswordEncoder​(int bcryptStrength)
        Creates a new encoder.

        This constructor will create a new SecureRandom as follows:

        1. try to create a SecureRandom using algorithm NativePRNGNonBlocking
        2. if that fails, create a default SecureRandom, i.e. without specifying an algorithm
        and then invoke SpringBasedHonoPasswordEncoder(SecureRandom, int).
        Parameters:
        bcryptStrength - The strength to use for creating BCrypt hashes. Value must be >= 4 and <= 31. Note that a higher value will increase the time it takes to compute a hash. A value around 10 is considered a good compromise between security and computation time.
        See Also:
        "https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/", "https://hackernoon.com/hack-how-to-use-securerandom-with-kubernetes-and-docker-a375945a7b21"

      • SpringBasedHonoPasswordEncoder

        public SpringBasedHonoPasswordEncoder​(SecureRandom rng,
                                      int bcryptStrength)
        Creates a new encoder for a random number generator.
        Parameters:
        rng - The random number generator to use.
        bcryptStrength - The strength to use for creating BCrypt hashes. Value must be >= 4 and <= 31. Note that a higher value will increase the time it takes to compute a hash. A value around 10 is considered a good compromise between security and computation time.
        Throws:
        NullPointerException - if the RNG is null.
        IllegalArgumentException - if BCrypt strength is < 4 or > 31.

    • Method Detail

      • encode

        public io.vertx.core.json.JsonObject encode​(String rawPassword)
        Description copied from interface: HonoPasswordEncoder
        Computes a hash for a raw password.
        Specified by:
        encode in interface HonoPasswordEncoder
        Parameters:
        rawPassword - The clear text password to encode.
        Returns:
        A secret as defined by Hono's hashed-password credentials type. The secret contains the name of the hash function, (optional) salt and the password hash.

      • matches

        public boolean matches​(String rawPassword,
                       io.vertx.core.json.JsonObject credentialsOnRecord)
        Description copied from interface: HonoPasswordEncoder
        Matches a given password against credentials on record.
        Specified by:
        matches in interface HonoPasswordEncoder
        Parameters:
        rawPassword - The clear text password to match.
        credentialsOnRecord - The hashed-password secret to match against.
        Returns:
        true if the password matches.