Package org.springframework.security.web.authentication.password

Class HaveIBeenPwnedRestApiPasswordChecker

java.lang.Object
org.springframework.security.web.authentication.password.HaveIBeenPwnedRestApiPasswordChecker
All Implemented Interfaces:
CompromisedPasswordChecker
public final class HaveIBeenPwnedRestApiPasswordChecker extends Object implements CompromisedPasswordChecker
Checks if the provided password was leaked by relying on Have I Been Pwned REST API. This implementation uses the Search by Range in order to protect the value of the source password being searched for.
Since:
6.3

  • Constructor Details

    • HaveIBeenPwnedRestApiPasswordChecker

      public HaveIBeenPwnedRestApiPasswordChecker()

  • Method Details

    • check

      public CompromisedPasswordDecision check(@Nullable String password)
      Description copied from interface: CompromisedPasswordChecker
      Check whether the password is compromised. If password is null, then the return value must be false for CompromisedPasswordDecision.isCompromised() since a null password represents no password (e.g. the user leverages Passkeys instead).
      Specified by:
      check in interface CompromisedPasswordChecker
      Parameters:
      password - the password to check
      Returns:
      a non-null CompromisedPasswordDecision

    • setRestClient

      public void setRestClient(org.springframework.web.client.RestClient restClient)
      Sets the RestClient to use when making requests to Have I Been Pwned REST API. By default, a RestClient with a base URL of API_URL is used.
      Parameters:
      restClient - the RestClient to use