程序包 com.alibaba.nacos.plugin.auth.impl

类 SafeBcryptPasswordEncoder

java.lang.Object

org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder

com.alibaba.nacos.plugin.auth.impl.SafeBcryptPasswordEncoder

所有已实现的接口:

org.springframework.security.crypto.password.PasswordEncoder

public class SafeBcryptPasswordEncoder
extends org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder

BCrypt encoder that fixes the password length vulnerability.

Problem solved: When password length exceeds 72 characters, the original BCryptPasswordEncoder only matches the first 72 characters, which could lead to different passwords being validated as matching (e.g., passwords "A".repeat(73) and "A".repeat(80) would be considered identical).

Fix logic: Adds length validation in matches(CharSequence, String), returning false directly if the password length exceeds 72.

Recommendation: It is advised to add password length validation during user registration/password modification to prevent login failures caused by historical data issues.

作者:

linwumignshi

另请参阅:

• Spring Security Password Length Vulnerability Advisory

嵌套类概要

从类继承的嵌套类/接口 org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder

org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.BCryptVersion

构造器概要

构造器

构造器	说明
SafeBcryptPasswordEncoder()

方法概要

修饰符和类型	方法	说明
boolean	matches(CharSequence rawPassword, String encodedPassword)

从类继承的方法 org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder

encode, upgradeEncoding

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

构造器详细资料

SafeBcryptPasswordEncoder

public SafeBcryptPasswordEncoder()

方法详细资料

matches

public boolean matches(CharSequence rawPassword,
 String encodedPassword)

指定者:

matches 在接口中 org.springframework.security.crypto.password.PasswordEncoder

覆盖:

matches 在类中 org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder