Remove ShaPasswordEncoder from core

Issue: gh-4674

config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java

@@ -30,7 +30,6 @@ import org.springframework.security.authentication.encoding.BaseDigestPasswordEn
 import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
 import org.springframework.security.authentication.encoding.Md4PasswordEncoder;
 import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
-import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.config.Elements;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.util.StringUtils;
@@ -50,8 +49,6 @@ public class PasswordEncoderParser {
 	static final String ATT_BASE_64 = "base64";
 	static final String OPT_HASH_BCRYPT = "bcrypt";
 	static final String OPT_HASH_PLAINTEXT = "plaintext";
-	static final String OPT_HASH_SHA = "sha";
-	static final String OPT_HASH_SHA256 = "sha-256";
 	static final String OPT_HASH_MD4 = "md4";
 	static final String OPT_HASH_LDAP_SHA = "{sha}";
 	static final String OPT_HASH_LDAP_SSHA = "{ssha}";
@@ -62,8 +59,6 @@ public class PasswordEncoderParser {
 		ENCODER_CLASSES = new HashMap<String, Class<?>>();
 		ENCODER_CLASSES.put(OPT_HASH_PLAINTEXT, PlaintextPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_BCRYPT, BCryptPasswordEncoder.class);
-		ENCODER_CLASSES.put(OPT_HASH_SHA, ShaPasswordEncoder.class);
-		ENCODER_CLASSES.put(OPT_HASH_SHA256, ShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SSHA, LdapShaPasswordEncoder.class);
@@ -119,10 +114,6 @@ public class PasswordEncoderParser {
 		BeanDefinitionBuilder beanBldr = BeanDefinitionBuilder
 				.rootBeanDefinition(beanClass);
 
-		if (OPT_HASH_SHA256.equals(hash)) {
-			beanBldr.addConstructorArgValue(Integer.valueOf(256));
-		}
-
 		if (useBase64) {
 			if (BaseDigestPasswordEncoder.class.isAssignableFrom(beanClass)) {
 				beanBldr.addPropertyValue("encodeHashAsBase64", "true");

config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc

@@ -7,7 +7,7 @@ start = http | ldap-server | authentication-provider | ldap-authentication-provi
 
 hash =
 	## Defines the hashing algorithm used on user passwords. Bcrypt is recommended.
-	attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md4" | "{sha}" | "{ssha}"}
+	attribute hash {"bcrypt" | "plaintext" | "md4" | "{sha}" | "{ssha}"}
 base64 =
 	## Whether a string should be base64 encoded
 	attribute base64 {xsd:boolean}

config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd

@@ -13,8 +13,6 @@
             <xs:restriction base="xs:token">
                <xs:enumeration value="bcrypt"/>
                <xs:enumeration value="plaintext"/>
-               <xs:enumeration value="sha"/>
-               <xs:enumeration value="sha-256"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
@@ -147,8 +145,6 @@
             <xs:restriction base="xs:token">
                <xs:enumeration value="bcrypt"/>
                <xs:enumeration value="plaintext"/>
-               <xs:enumeration value="sha"/>
-               <xs:enumeration value="sha-256"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
@@ -529,8 +525,6 @@
             <xs:restriction base="xs:token">
                <xs:enumeration value="bcrypt"/>
                <xs:enumeration value="plaintext"/>
-               <xs:enumeration value="sha"/>
-               <xs:enumeration value="sha-256"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>

config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java

@@ -15,17 +15,13 @@
  */
 package org.springframework.security.config.authentication;
 
-import static org.assertj.core.api.Assertions.*;
-
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.dao.ReflectionSaltSource;
-import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
 import org.springframework.security.crypto.password.MessageDigestPasswordEncoder;
-import org.springframework.security.util.FieldUtils;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
 import org.springframework.context.support.AbstractXmlApplicationContext;
 
@@ -132,19 +128,6 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 		getProvider().authenticate(bob);
 	}
 
-	@Test
-	public void providerWithSha256PasswordEncoderIsSupported() throws Exception {
-		setContext(" <authentication-provider>"
-				+ "        <password-encoder hash='sha-256'/>"
-				+ "        <user-service>"
-				+ "            <user name='bob' password='notused' authorities='ROLE_A' />"
-				+ "        </user-service>" + "    </authentication-provider>");
-
-		ShaPasswordEncoder encoder = (ShaPasswordEncoder) FieldUtils.getFieldValue(
-				getProvider(), "passwordEncoder");
-		assertThat(encoder.getAlgorithm()).isEqualTo("SHA-256");
-	}
-
 	@Test
 	public void passwordIsBase64EncodedWhenBase64IsEnabled() throws Exception {
 		appContext = new InMemoryXmlApplicationContext(

core/src/main/java/org/springframework/security/authentication/encoding/ShaPasswordEncoder.java

@@ -1,63 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.authentication.encoding;
-
-/**
- * <p>
- * SHA implementation of PasswordEncoder.
- * </p>
- * <p>
- * If a <code>null</code> password is presented, it will be treated as an empty
- * <code>String</code> ("") password.
- * </p>
- * <p>
- * As SHA is a one-way hash, the salt can contain any characters. The default strength for
- * the SHA encoding is SHA-1. If you wish to use higher strengths use the parametrised
- * constructor. {@link #ShaPasswordEncoder(int strength)}
- * </p>
- * <p>
- * The applicationContext example...
- *
- * <pre>
- * &lt;bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"&gt;
- *     &lt;constructor-arg value="256"/&gt;
- * &lt;/bean&gt;
- * </pre>
- *
- * @author Ray Krueger
- * @author colin sampaleanu
- * @author Ben Alex
- */
-public class ShaPasswordEncoder extends MessageDigestPasswordEncoder {
-
-	/**
-	 * Initializes the ShaPasswordEncoder for SHA-1 strength
-	 */
-	public ShaPasswordEncoder() {
-		this(1);
-	}
-
-	/**
-	 * Initialize the ShaPasswordEncoder with a given SHA stength as supported by the JVM
-	 * EX: <code>ShaPasswordEncoder encoder = new ShaPasswordEncoder(256);</code>
-	 * initializes with SHA-256
-	 *
-	 * @param strength EX: 1, 256, 384, 512
-	 */
-	public ShaPasswordEncoder(int strength) {
-		super("SHA-" + strength);
-	}
-}

core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java

@@ -40,7 +40,6 @@ import org.springframework.security.authentication.InternalAuthenticationService
 import org.springframework.security.authentication.LockedException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
@@ -348,33 +347,6 @@ public class DaoAuthenticationProviderTests {
 		assertThat(result2.getCredentials()).isEqualTo(result.getCredentials());
 	}
 
-	@Test
-	public void testAuthenticatesWhenASaltIsUsed() {
-		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
-				"rod", "koala");
-
-		SystemWideSaltSource salt = new SystemWideSaltSource();
-		salt.setSystemWideSalt("SYSTEM_SALT_VALUE");
-
-		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
-		provider.setUserDetailsService(new MockAuthenticationDaoUserrodWithSalt());
-		provider.setSaltSource(salt);
-		provider.setUserCache(new MockUserCache());
-
-		Authentication result = provider.authenticate(token);
-
-		if (!(result instanceof UsernamePasswordAuthenticationToken)) {
-			fail("Should have returned instance of UsernamePasswordAuthenticationToken");
-		}
-
-		assertThat(result.getPrincipal().getClass()).isEqualTo(User.class);
-
-		// We expect original credentials user submitted to be returned
-		assertThat(result.getCredentials()).isEqualTo("koala");
-		assertThat(AuthorityUtils.authorityListToSet(result.getAuthorities())).contains(
-				"ROLE_ONE", "ROLE_TWO");
-	}
-
 	@Test
 	public void testAuthenticatesWithForcePrincipalAsString() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
@@ -418,9 +390,9 @@ public class DaoAuthenticationProviderTests {
 	@Test
 	public void testGettersSetters() {
 		DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
-		provider.setPasswordEncoder(new ShaPasswordEncoder());
+		provider.setPasswordEncoder(new PWE());
 		assertThat(provider.getPasswordEncoder().getClass()).isEqualTo(
-				ShaPasswordEncoder.class);
+				PWE.class);
 
 		provider.setSaltSource(new SystemWideSaltSource());
 		assertThat(provider.getSaltSource().getClass()).isEqualTo(
@@ -435,6 +407,17 @@ public class DaoAuthenticationProviderTests {
 		assertThat(provider.isForcePrincipalAsString()).isTrue();
 	}
 
+	static class PWE implements org.springframework.security.authentication.encoding.PasswordEncoder {
+		@Override public String encodePassword(String rawPass, Object salt) {
+			return null;
+		}
+
+		@Override public boolean isPasswordValid(String encPass, String rawPass,
+			Object salt) {
+			return false;
+		}
+	}
+
 	@Test
 	public void testGoesBackToAuthenticationDaoToObtainLatestPasswordIfCachedPasswordSeemsIncorrect() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(

core/src/test/java/org/springframework/security/authentication/encoding/ShaPasswordEncoderTests.java

@@ -1,79 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.authentication.encoding;
-
-import static org.assertj.core.api.Assertions.*;
-
-import org.junit.Test;
-import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
-
-/**
- * <p>
- * TestCase for ShaPasswordEncoder.
- * </p>
- *
- * @author colin sampaleanu
- * @author Ben Alex
- * @author Ray Krueger
- */
-public class ShaPasswordEncoderTests {
-	// ~ Methods
-	// ========================================================================================================
-
-	@Test
-	public void testBasicFunctionality() {
-		ShaPasswordEncoder pe = new ShaPasswordEncoder();
-		String raw = "abc123";
-		String badRaw = "abc321";
-		String salt = "THIS_IS_A_SALT";
-		String encoded = pe.encodePassword(raw, salt);
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
-		assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
-		assertThat(encoded).isEqualTo("b2f50ffcbd3407fe9415c062d55f54731f340d32");
-
-	}
-	@Test
-	public void testBase64() throws Exception {
-		ShaPasswordEncoder pe = new ShaPasswordEncoder();
-		pe.setEncodeHashAsBase64(true);
-		String raw = "abc123";
-		String badRaw = "abc321";
-		String salt = "THIS_IS_A_SALT";
-		String encoded = pe.encodePassword(raw, salt);
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
-		assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
-		assertThat(encoded.length() != 40).isTrue();
-	}
-	@Test
-	public void test256() throws Exception {
-		ShaPasswordEncoder pe = new ShaPasswordEncoder(256);
-		String encoded = pe.encodePassword("abc123", null);
-		assertThat(encoded).isEqualTo("6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090");
-		String encodedWithSalt = pe.encodePassword("abc123", "THIS_IS_A_SALT");
-		assertThat(encodedWithSalt).isEqualTo("4b79b7de23eb23b78cc5ede227d532b8a51f89b2ec166f808af76b0dbedc47d7");
-	}
-	@Test
-	public void testInvalidStrength() throws Exception {
-		try {
-			new ShaPasswordEncoder(666);
-			fail("IllegalArgumentException expected");
-		}
-		catch (IllegalArgumentException e) {
-			// expected
-		}
-	}
-}