Remove PlainTextPasswordEncoder from core

Issue: gh-4674

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/NamespaceLdapAuthenticationProviderTestsConfigs.java

@@ -15,10 +15,10 @@
  */
 package org.springframework.security.config.annotation.authentication.ldap;
 
-import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 import org.springframework.security.ldap.userdetails.PersonContextMapper;
 
@@ -90,7 +90,7 @@ public class NamespaceLdapAuthenticationProviderTestsConfigs {
 					.groupSearchBase("ou=groups")
 					.userSearchFilter("(uid={0})")
 					.passwordCompare()
-						.passwordEncoder(new PlaintextPasswordEncoder()) // ldap-authentication-provider/password-compare/password-encoder@ref
+						.passwordEncoder(NoOpPasswordEncoder.getInstance()) // ldap-authentication-provider/password-compare/password-encoder@ref
 						.passwordAttribute("userPassword"); // ldap-authentication-provider/password-compare@password-attribute
 		}
 		// @formatter:on

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java

@@ -22,7 +22,6 @@ import org.springframework.ldap.core.support.BaseLdapPathContextSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.encoding.PasswordEncoder;
-import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
@@ -30,6 +29,7 @@ import org.springframework.security.config.annotation.web.configurers.ChannelSec
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
 import org.springframework.security.ldap.authentication.AbstractLdapAuthenticator;
 import org.springframework.security.ldap.authentication.BindAuthenticator;
@@ -401,7 +401,7 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 
 		/**
 		 * Allows specifying the {@link PasswordEncoder} to use. The default is
-		 * {@link PlaintextPasswordEncoder}.
+		 * {@link org.springframework.security.crypto.password.NoOpPasswordEncoder}.
 		 * @param passwordEncoder the {@link PasswordEncoder} to use
 		 * @return the {@link PasswordEncoder} to use
 		 */
@@ -410,6 +410,17 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 			return this;
 		}
 
+		/**
+		 * Allows specifying the {@link org.springframework.security.crypto.password.PasswordEncoder} to use. The default is
+		 * {@link org.springframework.security.crypto.password.NoOpPasswordEncoder}.
+		 * @param passwordEncoder the {@link org.springframework.security.crypto.password.PasswordEncoder} to use
+		 * @return the {@link org.springframework.security.crypto.password.PasswordEncoder} to use
+		 */
+		public PasswordCompareConfigurer passwordEncoder(org.springframework.security.crypto.password.PasswordEncoder passwordEncoder) {
+			LdapAuthenticationProviderConfigurer.this.passwordEncoder = passwordEncoder;
+			return this;
+		}
+
 		/**
 		 * The attribute in the directory which contains the user password. Defaults to
 		 * "userPassword".
@@ -614,6 +625,6 @@ public class LdapAuthenticationProviderConfigurer<B extends ProviderManagerBuild
 	 */
 	public PasswordCompareConfigurer passwordCompare() {
 		return new PasswordCompareConfigurer().passwordAttribute("password")
-				.passwordEncoder(new PlaintextPasswordEncoder());
+				.passwordEncoder(NoOpPasswordEncoder.getInstance());
 	}
 }

config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java

@@ -29,7 +29,6 @@ import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.authentication.encoding.BaseDigestPasswordEncoder;
 import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
 import org.springframework.security.authentication.encoding.Md4PasswordEncoder;
-import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
 import org.springframework.security.config.Elements;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.util.StringUtils;
@@ -48,7 +47,6 @@ public class PasswordEncoderParser {
 	public static final String ATT_HASH = "hash";
 	static final String ATT_BASE_64 = "base64";
 	static final String OPT_HASH_BCRYPT = "bcrypt";
-	static final String OPT_HASH_PLAINTEXT = "plaintext";
 	static final String OPT_HASH_MD4 = "md4";
 	static final String OPT_HASH_LDAP_SHA = "{sha}";
 	static final String OPT_HASH_LDAP_SSHA = "{ssha}";
@@ -57,7 +55,6 @@ public class PasswordEncoderParser {
 
 	static {
 		ENCODER_CLASSES = new HashMap<String, Class<?>>();
-		ENCODER_CLASSES.put(OPT_HASH_PLAINTEXT, PlaintextPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_BCRYPT, BCryptPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class);

config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd

@@ -12,7 +12,6 @@
          <xs:simpleType>
             <xs:restriction base="xs:token">
                <xs:enumeration value="bcrypt"/>
-               <xs:enumeration value="plaintext"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
@@ -144,7 +143,6 @@
          <xs:simpleType>
             <xs:restriction base="xs:token">
                <xs:enumeration value="bcrypt"/>
-               <xs:enumeration value="plaintext"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
@@ -524,7 +522,6 @@
          <xs:simpleType>
             <xs:restriction base="xs:token">
                <xs:enumeration value="bcrypt"/>
-               <xs:enumeration value="plaintext"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>

core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java

@@ -21,11 +21,11 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.InternalAuthenticationServiceException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.encoding.PasswordEncoder;
-import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.util.Assert;
 
 /**
@@ -65,7 +65,7 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
 	private UserDetailsService userDetailsService;
 
 	public DaoAuthenticationProvider() {
-		setPasswordEncoder(new PlaintextPasswordEncoder());
+		setPasswordEncoder(NoOpPasswordEncoder.getInstance());
 	}
 
 	// ~ Methods

core/src/main/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoder.java

@@ -1,97 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.authentication.encoding;
-
-import java.util.Locale;
-
-/**
- * <p>
- * Plaintext implementation of PasswordEncoder.
- * </p>
- * <P>
- * As callers may wish to extract the password and salts separately from the encoded
- * password, the salt must not contain reserved characters (specifically '{' and '}').
- * </p>
- *
- * @author colin sampaleanu
- * @author Ben Alex
- */
-public class PlaintextPasswordEncoder extends BasePasswordEncoder {
-	// ~ Instance fields
-	// ================================================================================================
-
-	private boolean ignorePasswordCase = false;
-
-	// ~ Methods
-	// ========================================================================================================
-
-	public String encodePassword(String rawPass, Object salt) {
-		return mergePasswordAndSalt(rawPass, salt, true);
-	}
-
-	public boolean isIgnorePasswordCase() {
-		return ignorePasswordCase;
-	}
-
-	public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
-		String pass1 = encPass + "";
-
-		// Strict delimiters is false because pass2 never persisted anywhere
-		// and we want to avoid unnecessary exceptions as a result (the
-		// authentication will fail as the encodePassword never allows them)
-		String pass2 = mergePasswordAndSalt(rawPass, salt, false);
-
-		if (ignorePasswordCase) {
-			// Note: per String javadoc to get correct results for Locale insensitive, use
-			// English
-			pass1 = pass1.toLowerCase(Locale.ENGLISH);
-			pass2 = pass2.toLowerCase(Locale.ENGLISH);
-		}
-		return PasswordEncoderUtils.equals(pass1, pass2);
-	}
-
-	/**
-	 * Demerges the previously {@link #encodePassword(String, Object)}<code>String</code>.
-	 * <P>
-	 * The resulting array is guaranteed to always contain two elements. The first is the
-	 * password, and the second is the salt.
-	 * </p>
-	 * <P>
-	 * Throws an exception if <code>null</code> or an empty <code>String</code> is passed
-	 * to the method.
-	 * </p>
-	 *
-	 * @param password from {@link #encodePassword(String, Object)}
-	 *
-	 * @return an array containing the password and salt
-	 */
-	public String[] obtainPasswordAndSalt(String password) {
-		return demergePasswordAndSalt(password);
-	}
-
-	/**
-	 * Indicates whether the password comparison is case sensitive.
-	 * <P>
-	 * Defaults to <code>false</code>, meaning an exact case match is required.
-	 * </p>
-	 *
-	 * @param ignorePasswordCase set to <code>true</code> for less stringent comparison
-	 */
-	public void setIgnorePasswordCase(boolean ignorePasswordCase) {
-		this.ignorePasswordCase = ignorePasswordCase;
-	}
-}

core/src/test/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoderTests.java

@@ -1,73 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.authentication.encoding;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-import org.junit.Test;
-
-/**
- * <p>
- * TestCase for PlaintextPasswordEncoder.
- * </p>
- *
- * @author colin sampaleanu
- * @author Ben Alex
- */
-public class PlaintextPasswordEncoderTests {
-
-	// ~ Methods
-	// ========================================================================================================
-	@Test
-	public void testBasicFunctionality() {
-		PlaintextPasswordEncoder pe = new PlaintextPasswordEncoder();
-
-		String raw = "abc123";
-		String rawDiffCase = "AbC123";
-		String badRaw = "abc321";
-		String salt = "THIS_IS_A_SALT";
-
-		String encoded = pe.encodePassword(raw, salt);
-		assertThat(encoded).isEqualTo("abc123{THIS_IS_A_SALT}");
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
-		assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
-
-		// make sure default is not to ignore password case
-		assertThat(pe.isIgnorePasswordCase()).isFalse();
-		encoded = pe.encodePassword(rawDiffCase, salt);
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isFalse();
-
-		// now check for ignore password case
-		pe = new PlaintextPasswordEncoder();
-		pe.setIgnorePasswordCase(true);
-
-		// should be able to validate even without encoding
-		encoded = pe.encodePassword(rawDiffCase, salt);
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
-		assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
-	}
-
-	@Test
-	public void testMergeDemerge() {
-		PlaintextPasswordEncoder pwd = new PlaintextPasswordEncoder();
-
-		String merged = pwd.encodePassword("password", "foo");
-		String[] demerged = pwd.obtainPasswordAndSalt(merged);
-		assertThat(demerged[0]).isEqualTo("password");
-		assertThat(demerged[1]).isEqualTo("foo");
-	}
-}

ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java

@@ -21,9 +21,9 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
 import org.springframework.security.authentication.encoding.PasswordEncoder;
-import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.ldap.AbstractLdapIntegrationTests;
 
 import org.springframework.ldap.core.DirContextAdapter;
@@ -50,7 +50,7 @@ public class PasswordComparisonAuthenticatorTests extends AbstractLdapIntegratio
 	@Before
 	public void setUp() throws Exception {
 		authenticator = new PasswordComparisonAuthenticator(getContextSource());
-		authenticator.setPasswordEncoder(new PlaintextPasswordEncoder());
+		authenticator.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
 		authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" });
 		bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword");
 		ben = new UsernamePasswordAuthenticationToken("ben", "benspassword");
@@ -140,7 +140,7 @@ public class PasswordComparisonAuthenticatorTests extends AbstractLdapIntegratio
 	@Test
 	public void testWithUserSearch() {
 		authenticator = new PasswordComparisonAuthenticator(getContextSource());
-		authenticator.setPasswordEncoder(new PlaintextPasswordEncoder());
+		authenticator.setPasswordEncoder(NoOpPasswordEncoder.getInstance());
 		assertThat(authenticator.getUserDns("Bob")).withFailMessage("User DN matches shouldn't be available").isEmpty();
 
 		DirContextAdapter ctx = new DirContextAdapter(new DistinguishedName(