Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
HashingPasswordService |
|
| 1.0;1 |
1 | /* | |
2 | * Licensed to the Apache Software Foundation (ASF) under one | |
3 | * or more contributor license agreements. See the NOTICE file | |
4 | * distributed with this work for additional information | |
5 | * regarding copyright ownership. The ASF licenses this file | |
6 | * to you under the Apache License, Version 2.0 (the | |
7 | * "License"); you may not use this file except in compliance | |
8 | * with the License. You may obtain a copy of the License at | |
9 | * | |
10 | * http://www.apache.org/licenses/LICENSE-2.0 | |
11 | * | |
12 | * Unless required by applicable law or agreed to in writing, | |
13 | * software distributed under the License is distributed on an | |
14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
15 | * KIND, either express or implied. See the License for the | |
16 | * specific language governing permissions and limitations | |
17 | * under the License. | |
18 | */ | |
19 | package org.apache.shiro.authc.credential; | |
20 | ||
21 | import org.apache.shiro.crypto.hash.Hash; | |
22 | import org.apache.shiro.util.ByteSource; | |
23 | ||
24 | /** | |
25 | * A {@code HashingPasswordService} is a {@link PasswordService} that performs password encryption and comparisons | |
26 | * based on cryptographic {@link Hash}es. | |
27 | * | |
28 | * @since 1.2 | |
29 | */ | |
30 | public interface HashingPasswordService extends PasswordService { | |
31 | ||
32 | /** | |
33 | * Hashes the specified plaintext password using internal hashing configuration settings pertinent to password | |
34 | * hashing. | |
35 | * <p/> | |
36 | * Note | |
37 | * that this method is only likely to be used in more complex environments that wish to format and/or save the | |
38 | * returned {@code Hash} object in a custom manner. Most applications will find the | |
39 | * {@link #encryptPassword(Object) encryptPassword} method suitable enough for safety | |
40 | * and ease-of-use. | |
41 | * <h3>Usage</h3> | |
42 | * The input argument type can be any 'byte backed' {@code Object} - almost always either a | |
43 | * String or character array representing passwords (character arrays are often a safer way to represent passwords | |
44 | * as they can be cleared/nulled-out after use. Any argument type supported by | |
45 | * {@link ByteSource.Util#isCompatible(Object)} is valid. | |
46 | * <p/> | |
47 | * Regardless of your choice of using Strings or character arrays to represent submitted passwords, you can wrap | |
48 | * either as a {@code ByteSource} by using {@link ByteSource.Util}, for example, when the passwords are captured as | |
49 | * Strings: | |
50 | * <pre> | |
51 | * ByteSource passwordBytes = ByteSource.Util.bytes(submittedPasswordString); | |
52 | * Hash hashedPassword = hashingPasswordService.hashPassword(passwordBytes); | |
53 | * </pre> | |
54 | * or, identically, when captured as a character array: | |
55 | * <pre> | |
56 | * ByteSource passwordBytes = ByteSource.Util.bytes(submittedPasswordCharacterArray); | |
57 | * Hash hashedPassword = hashingPasswordService.hashPassword(passwordBytes); | |
58 | * </pre> | |
59 | * | |
60 | * @param plaintext the raw password as 'byte-backed' object (String, character array, {@link ByteSource}, | |
61 | * etc) usually acquired from your application's 'new user' or 'password reset' workflow. | |
62 | * @return the hashed password. | |
63 | * @throws IllegalArgumentException if the argument cannot be easily converted to bytes as defined by | |
64 | * {@link ByteSource.Util#isCompatible(Object)}. | |
65 | * @see ByteSource.Util#isCompatible(Object) | |
66 | * @see #encryptPassword(Object) | |
67 | */ | |
68 | Hash hashPassword(Object plaintext) throws IllegalArgumentException; | |
69 | ||
70 | /** | |
71 | * Returns {@code true} if the {@code submittedPlaintext} password matches the existing {@code savedPasswordHash}, | |
72 | * {@code false} otherwise. Note that this method is only likely to be used in more complex environments that | |
73 | * save hashes in a custom manner. Most applications will find the | |
74 | * {@link #passwordsMatch(Object, String) passwordsMatch(plaintext,string)} method | |
75 | * sufficient if {@link #encryptPassword(Object) encrypting passwords as Strings}. | |
76 | * <h3>Usage</h3> | |
77 | * The {@code submittedPlaintext} argument type can be any 'byte backed' {@code Object} - almost always either a | |
78 | * String or character array representing passwords (character arrays are often a safer way to represent passwords | |
79 | * as they can be cleared/nulled-out after use. Any argument type supported by | |
80 | * {@link ByteSource.Util#isCompatible(Object)} is valid. | |
81 | * | |
82 | * @param plaintext a raw/plaintext password submitted by an end user/Subject. | |
83 | * @param savedPasswordHash the previously hashed password known to be associated with an account. | |
84 | * This value is expected to have been previously generated from the | |
85 | * {@link #hashPassword(Object) hashPassword} method (typically | |
86 | * when the account is created or the account's password is reset). | |
87 | * @return {@code true} if the {@code plaintext} password matches the existing {@code savedPasswordHash}, | |
88 | * {@code false} otherwise. | |
89 | */ | |
90 | boolean passwordsMatch(Object plaintext, Hash savedPasswordHash); | |
91 | } |