From edd82ba82ca8dd017396e6e460449af2bb32a166 Mon Sep 17 00:00:00 2001 From: Garvit Joshi Date: Sat, 29 Nov 2025 16:58:25 +0530 Subject: [PATCH] gh-18234: Create SHA-1 MessageDigest for every new check request Signed-off-by: Garvit Joshi --- .../password/HaveIBeenPwnedRestApiPasswordChecker.java | 8 +------- .../HaveIBeenPwnedRestApiReactivePasswordChecker.java | 8 +------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java index 21dcce3dd4..7346203c5f 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java +++ b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java @@ -52,18 +52,12 @@ public final class HaveIBeenPwnedRestApiPasswordChecker implements CompromisedPa private final Log logger = LogFactory.getLog(getClass()); - private final MessageDigest sha1Digest; - private RestClient restClient = RestClient.builder().baseUrl(API_URL).build(); - public HaveIBeenPwnedRestApiPasswordChecker() { - this.sha1Digest = getSha1Digest(); - } - @Override @NonNull public CompromisedPasswordDecision check(String password) { - byte[] hash = this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8)); + byte[] hash = getSha1Digest().digest(password.getBytes(StandardCharsets.UTF_8)); String encoded = new String(Hex.encode(hash)).toUpperCase(Locale.ROOT); String prefix = encoded.substring(0, PREFIX_LENGTH); String suffix = encoded.substring(PREFIX_LENGTH); diff --git a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java index 0a582ac9bf..a3e89216e0 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java +++ b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java @@ -54,12 +54,6 @@ public class HaveIBeenPwnedRestApiReactivePasswordChecker implements ReactiveCom private WebClient webClient = WebClient.builder().baseUrl(API_URL).build(); - private final MessageDigest sha1Digest; - - public HaveIBeenPwnedRestApiReactivePasswordChecker() { - this.sha1Digest = getSha1Digest(); - } - @Override public Mono check(String password) { return getHash(password).map((hash) -> new String(Hex.encode(hash))) @@ -95,7 +89,7 @@ public class HaveIBeenPwnedRestApiReactivePasswordChecker implements ReactiveCom } private Mono getHash(String password) { - return Mono.fromSupplier(() -> this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8))) + return Mono.fromSupplier(() -> getSha1Digest().digest(password.getBytes(StandardCharsets.UTF_8))) .subscribeOn(Schedulers.boundedElastic()) .publishOn(Schedulers.parallel()); }