include::../summary.adoc[]

== Why is this an issue?

include::../rationale.adoc[]

include::../impact.adoc[]

== How to fix it in Spring

=== Code examples

==== Noncompliant code example

The following code is vulnerable because it uses a legacy digest-based password
encoding that is not considered secure.

[source,java,diff-id=1,diff-type=noncompliant]
----
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
  auth.jdbcAuthentication()
    .dataSource(dataSource)
    .usersByUsernameQuery("SELECT * FROM users WHERE username = ?")
    .passwordEncoder(new StandardPasswordEncoder()); // Noncompliant
}
----

==== Compliant solution

[source,java,diff-id=1,diff-type=compliant]
----
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
  auth.jdbcAuthentication()
    .dataSource(dataSource)
    .usersByUsernameQuery("SELECT * FROM users WHERE username = ?")
    .passwordEncoder(new BCryptPasswordEncoder());
}
----

=== How does this work?

include::../common/fix/password-hashing.adoc[]

In the previous example, the ``BCryptPasswordEncoder`` is a password hashing
function in Java that is designed to be secure and resistant to various types
of attacks, including brute-force and rainbow table attacks. It is slow,
adaptative, and automatically implements a salt.

include::../common/fix/plaintext-password.adoc[]

=== Pitfalls

include::../common/pitfalls/pre-hashing.adoc[]


== Resources

=== Documentation

* Spring Framework Security Documentation - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[Class BCryptPasswordEncoder]
* OWASP CheatSheet - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html[Password Storage Cheat Sheet]

include::../common/resources/standards-mobile.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use a secure password hashing algorithm.

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]