From 44c4a4ae8635f5b55166e2e66edc8fbacaf1831c Mon Sep 17 00:00:00 2001 From: Petr Svoboda Date: Thu, 16 Mar 2023 15:04:21 +0100 Subject: [PATCH] Add new DaoAuthenticationProvider constructor Add a new constructor to the DaoAuthenticationProvider, which allows providing a custom PasswordEncoder to prevent instantiation of the default delegating PasswordEncoder in the default constructor. This provides a way to instantiate the DaoAuthenticationProvider on JDKs where the default delegating PasswordEncoder cannot be instantiated due to limited JCE providers for compliance reasons (e.g., FIPS). Closes gh-12874 --- .../authentication/dao/DaoAuthenticationProvider.java | 11 ++++++++++- .../dao/DaoAuthenticationProviderTests.java | 7 +++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java index c21a9ff2f1..5595ac3cb4 100644 --- a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java @@ -61,7 +61,16 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication private UserDetailsPasswordService userDetailsPasswordService; public DaoAuthenticationProvider() { - setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder()); + this(PasswordEncoderFactories.createDelegatingPasswordEncoder()); + } + + /** + * Creates a new instance using the provided {@link PasswordEncoder} + * @param passwordEncoder the {@link PasswordEncoder} to use. Cannot be null. + * @since 6.0.3 + */ + public DaoAuthenticationProvider(PasswordEncoder passwordEncoder) { + setPasswordEncoder(passwordEncoder); } @Override diff --git a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java index 08db0ef474..f9b1e7c03e 100644 --- a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java @@ -441,6 +441,13 @@ public class DaoAuthenticationProviderTests { assertThatExceptionOfType(UsernameNotFoundException.class).isThrownBy(() -> provider.authenticate(token)); } + @Test + public void constructWhenPasswordEncoderProvidedThenSets() { + DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider( + NoOpPasswordEncoder.getInstance()); + assertThat(daoAuthenticationProvider.getPasswordEncoder()).isSameAs(NoOpPasswordEncoder.getInstance()); + } + /** * This is an explicit test for SEC-2056. It is intentionally ignored since this test * is not deterministic and {@link #testUserNotFoundEncodesPassword()} ensures that