Package com.alpaca.security.manager

Class PasswordManager

java.lang.Object
com.alpaca.security.manager.PasswordManager
@Component public class PasswordManager extends Object
Spring component responsible for handling secure password hashing and verification using PBKDF2. It wraps a configured Pbkdf2PasswordEncoder to encode raw passwords and validate matches.

The encoder is configured via application property spring.datasource.secret.key, which serves as the "pepper" — an application-wide secret added on top of per-password salts for enhanced security. (Pbkdf2PasswordEncoder)

See Also:
  • Pbkdf2PasswordEncoder

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    private final org.springframework.security.crypto.password.Pbkdf2PasswordEncoder
    encoder
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    PasswordManager(String secretKey)
    Constructs a PasswordManager using a secret key as "pepper".

  • Method Summary

    Modifier and Type
    Method
    Description
    String
    encodePassword(String rawPassword)
    Encodes a raw password using PBKDF2 hashing.
    boolean
    matches(String rawPassword, String encodedPassword)
    Validates a raw password against a previously hashed password.
    org.springframework.security.crypto.password.PasswordEncoder
    passwordEncoder()
    Exposes the underlying PasswordEncoder.

    Methods inherited from class java.lang.Object

    clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • encoder

      private final org.springframework.security.crypto.password.Pbkdf2PasswordEncoder encoder

  • Constructor Details

    • PasswordManager

      public PasswordManager(@Value("${spring.datasource.secret.key}") @NonNull String secretKey)
      Constructs a PasswordManager using a secret key as "pepper". The encoder is initialized with the following properties:
      • Salt length: 16 bytes (default for Spring Security 5.8+)
      • Iterations: 310,000 (default aiming for ~0.5 seconds processing time)
      • Algorithm: PBKDF2WithHmacSHA512
      • Output encoding: Base64 (instead of hex)
      Parameters:
      secretKey - the application-wide secret ("pepper") to enhance password hashing security; must not be null

  • Method Details

    • passwordEncoder

      public org.springframework.security.crypto.password.PasswordEncoder passwordEncoder()
      Exposes the underlying PasswordEncoder. Useful when integration with Spring Security configurations is needed.
      Returns:
      the configured PasswordEncoder

    • encodePassword

      public String encodePassword(String rawPassword)
      Encodes a raw password using PBKDF2 hashing.
      Parameters:
      rawPassword - the plain text password
      Returns:
      the hashed password string

    • matches

      public boolean matches(String rawPassword, String encodedPassword)
      Validates a raw password against a previously hashed password.
      Parameters:
      rawPassword - the plain text password to validate
      encodedPassword - the stored hashed password
      Returns:
      true if the raw password matches the encoded one; false otherwise