From 6ba225b62d9b447574eb55ecd67399b6a514b9ea Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Wed, 24 Jan 2018 10:42:09 -0600
Subject: [PATCH] Polish userNotFoundEncodedPassword

Ensure that if passwordEncoder is set that userNotFoundEncodedPassword
is encoded again if already set.

Issue: gh-4915
---
 .../dao/DaoAuthenticationProvider.java        |  1 +
 .../dao/DaoAuthenticationProviderTests.java   | 30 +++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
index f9bdc94611..cb836fbfb4 100644
--- a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
@@ -149,6 +149,7 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
 	public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
 		Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
 		this.passwordEncoder = passwordEncoder;
+		this.userNotFoundEncodedPassword = null;
 	}
 
 	protected PasswordEncoder getPasswordEncoder() {
diff --git a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
index 66c54c7b97..b67883f159 100644
--- a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
@@ -50,6 +50,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache;
 import org.springframework.security.core.userdetails.cache.NullUserCache;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
@@ -280,6 +281,35 @@ public class DaoAuthenticationProviderTests {
 		}
 	}
 
+	@Test
+	public void testAuthenticateFailsWithInvalidUsernameAndChangePasswordEncoder() {
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
+			"INVALID_USER", "koala");
+
+		DaoAuthenticationProvider provider = createProvider();
+		assertThat(provider.isHideUserNotFoundExceptions()).isTrue();
+		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
+		provider.setUserCache(new MockUserCache());
+
+		try {
+			provider.authenticate(token);
+			fail("Should have thrown BadCredentialsException");
+		}
+		catch (BadCredentialsException expected) {
+
+		}
+
+		provider.setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
+
+		try {
+			provider.authenticate(token);
+			fail("Should have thrown BadCredentialsException");
+		}
+		catch (BadCredentialsException expected) {
+
+		}
+	}
+
 	@Test
 	public void testAuthenticateFailsWithMixedCaseUsernameIfDefaultChanged() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(