java.lang.Object

com.goldenleaf.shop.config.SecurityConfig

@Configuration public class SecurityConfig extends Object

Application-wide security configuration.

Defines beans used throughout the application for cryptographic operations, primarily password hashing and verification.

Current implementation uses BCryptPasswordEncoder — the de-facto industry standard in 2025 for password storage:

Adaptive hashing algorithm with configurable work factor (strength)
Built-in random salt generation (prevents rainbow table attacks)
Recommended by OWASP, Spring Security, NIST, and used by GitHub, Dropbox, etc.
Future-proof: strength can be increased without breaking existing hashes

Default strength = 10 (balanced between security and performance). Can be increased to 12+ on powerful servers or decreased to 8–10 on low-end hardware.

Since:: 1.0

Constructor Summary

Constructors

Constructor

Description

SecurityConfig()
Method Summary

Modifier and Type

Method

Description

org.springframework.security.crypto.password.PasswordEncoder

passwordEncoder()

Provides a global PasswordEncoder bean.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- SecurityConfig
  
  public SecurityConfig()
Method Details
- passwordEncoder
  @Bean public org.springframework.security.crypto.password.PasswordEncoder passwordEncoder()
  
  Provides a global PasswordEncoder bean.
  Autowired wherever passwords need to be encoded or verified (e.g., registration, login, admin user creation).
  
  Using strength = 10 by default:
  
  ~100–200 ms per hash on modern hardware — acceptable for login
  
  Strong enough against brute-force and GPU cracking in 2025
  
  Returns:
  
  BCryptPasswordEncoder instance with default strength

Class SecurityConfig

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Details

SecurityConfig

Method Details

passwordEncoder