Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Regression testing is an important step in the release process, to ensure that new code doesn't break the existing functionality. As the codebase evolves, we want to run these tests frequently to help catch any issues early on.
The best way to ensure these tests run frequently on an automated basis is, of course, to include them in the CI/CD pipeline. This way, the regression tests will execute automatically whenever we commit code to the repository.
In this tutorial, we'll see how to create regression tests using Selenium, and then include them in our pipeline using GitHub Actions:, to be run on the LambdaTest cloud grid:
1. Overview
Keeping users safe from hacking is very important when building a web application that involves user authentication. Most web applications are designed not to store plain text passwords but the hash of the password. Hashing and salting are techniques that help protect the password from any possible attack.
In this tutorial, we’ll learn about hashing and salting techniques, and how to hash with Argon2 in Java.
2. Password Hashing and Salting
Password hashing and salting are two techniques that can strengthen the security of passwords stored in a database. The hashing algorithm involves a mathematical operation that alters or transforms a password into a string of random characters.
However, hackers can try to guess a password by comparing hashes of common passwords. To prevent this, password salting comes into play.
Password salting is the method of appending a random piece of data, known as salt, to the password before applying hashing algorithm. The salt ensures that the hash is distinct and that two users with identical passwords will have different hashes.
Moreover, the hashing algorithm is one-way, meaning that the hash cannot be converted back to plain text, unlike encryption. This adds another layer of security and protection.
3. What Is Argon2?
Argon2 is a password-based key derivation function. It’s a secure password hashing function designed to have many parameters that can be adjusted. Moreover, Argon2 is a memory-hard function, meaning that it requires a lot of memory to compute and is difficult to implement on hardware with limited memory.
Furthermore, it allows applications to customize the algorithm according to their security needs. This is essential for applications with different security requirements.
Additionally, because Argon2 offers high security, it’s recommended for applications that require strong password protection. It resists attacks from GPUs and other specialized hardware.
4. Hashing With Argon2
One of the strengths of Argon2 is that we can configure it based on different needs. We can set the number of iterations. This is the number of times the password will be hashed. A higher number of iterations will take more time to hash the password but will make the password more secure.
Furthermore, we can set the memory cost. This is the amount of memory Argon2 will use. Higher memory cost will make the password more secure but consumes more system memory.
Additionally, we can also set the parallelism cost. This is the number of threads that the Argon2 algorithm will use. Higher parallelism costs will speed up the password hashing process but reduce password security.
In the following subsections, we’ll implement hashing with Argon2 using the Spring Security Crypto library and Bouncy Castle library.
4.1. Implement Argon2 Hashing With Spring Security Crypto
The Spring Security Crypto library has a class to hash passwords using Argon2. It relies on the Bouncy Castle library internally.
Let’s use the Spring Security Crypto library to hash a password. First, we need to add its dependency to the pom.xml:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>6.0.3</version>
</dependency>
Next, let’s see a unit test that hashes a password based on Argon2:
@Test
public void givenRawPassword_whenEncodedWithArgon2_thenMatchesEncodedPassword() {
String rawPassword = "Baeldung";
Argon2PasswordEncoder arg2SpringSecurity = new Argon2PasswordEncoder(16, 32, 1, 60000, 10);
String springBouncyHash = arg2SpringSecurity.encode(rawPassword);
assertTrue(arg2SpringSecurity.matches(rawPassword, springBouncyHash));
}In the example above, we declare a variable to store the raw password “Baeldung“. Next, we create an instance of Argon2PasswordEncoder with five arguments. We set the number of iterations to use to ten and also set the hash length to 32 bytes. The default hash length is 64 bytes. Furthermore, we set the memory cost to 60000 kilobytes, the parallelism factor to one thread, and the time cost to 16 iterations.
Finally, we verify that the raw password matches the hashed password.
4.2. Implement Argon2 Hashing With Bouncy Castle
Bouncy Castle library implementation is more low-level compared to Spring Security Crypto library. To use the Bouncy Castle library, we need to add its dependency to the pom.xml:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.76</version>
</dependency>
Let’s look at an example that implements hashing using the Bouncy Castle library.
First, let’s create a method to generate a random salt for us:
private byte[] generateSalt16Byte() {
SecureRandom secureRandom = new SecureRandom();
byte[] salt = new byte[16];
secureRandom.nextBytes(salt);
return salt;
}In the sample code above, we create a SecureRandom object, which is a class that provides a cryptographically strong random number generator. Next, we create a byte array of size 16 to store 16 bytes of data. Then, we invoke the nextBytes() method on secureRandom to generate the salt.
Finally, let’s hash the password “Baeldung“:
@Test
public void givenRawPasswordAndSalt_whenArgon2AlgorithmIsUsed_thenHashIsCorrect() {
byte[] salt = generateSalt16Byte();
String password = "Baeldung";
int iterations = 2;
int memLimit = 66536;
int hashLength = 32;
int parallelism = 1;
Argon2Parameters.Builder builder = new Argon2Parameters.Builder(Argon2Parameters.ARGON2_id)
.withVersion(Argon2Parameters.ARGON2_VERSION_13)
.withIterations(iterations)
.withMemoryAsKB(memLimit)
.withParallelism(parallelism)
.withSalt(salt);
Argon2BytesGenerator generate = new Argon2BytesGenerator();
generate.init(builder.build());
byte[] result = new byte[hashLength];
generate.generateBytes(password.getBytes(StandardCharsets.UTF_8), result, 0, result.length);
Argon2BytesGenerator verifier = new Argon2BytesGenerator();
verifier.init(builder.build());
byte[] testHash = new byte[hashLength];
verifier.generateBytes(password.getBytes(StandardCharsets.UTF_8), testHash, 0, testHash.length);
assertTrue(Arrays.equals(result, testHash));
}In the example above, we create a random 16-byte salt using the generatesalt16Byte() method. Next, we define essential parameters for the algorithm, such as the number of iterations, the memory limit, the hash length, the parallelism factor, and the salt.
Then, we create an Argon2BytesGenerator object. This object helps to generate the password hash. Also, we define a byte array to store the result of the hash generated.
Finally, we create another instance of Argon2BytesGenerator to compare the result with a test hash. This asserts that the password hash is correct and can be verified by the Argon2 algorithm.
5. Conclusion
In this article, we learned the basics of password hashing and salting. Additionally, we deep-dived into the Argon2 algorithm and saw an implementation using Spring Security Crypto and Bouncy Castle. The Spring Security Crypto appears simple, as it abstracts some processes.
