From 89467605cacad8ecff77aef670af80474595fab6 Mon Sep 17 00:00:00 2001
From: LeeJiWon <dlwldnjs1009@gmail.com>
Date: Sat, 24 Jan 2026 14:54:49 +0900
Subject: [PATCH] Deprecate single-arg PasswordComparisonAuthenticator ctor

Add new constructor accepting PasswordEncoder to eventually
remove deprecated LdapShaPasswordEncoder usage.

Closes gh-18430

Signed-off-by: LeeJiWon <dlwldnjs1009@gmail.com>
---
 .../PasswordComparisonAuthenticator.java          | 15 ++++++++++++++-
 .../PasswordComparisonAuthenticatorMockTests.java |  1 +
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticator.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticator.java
index e158e87235..dd07d2349c 100644
--- a/ldap/src/main/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticator.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticator.java
@@ -52,14 +52,27 @@ public final class PasswordComparisonAuthenticator extends AbstractLdapAuthentic
 
 	private static final Log logger = LogFactory.getLog(PasswordComparisonAuthenticator.class);
 
-	private PasswordEncoder passwordEncoder = new LdapShaPasswordEncoder(KeyGenerators.shared(0));
+	private PasswordEncoder passwordEncoder;
 
 	private String passwordAttributeName = "userPassword";
 
 	private boolean usePasswordAttrCompare = false;
 
+	/**
+	 * @deprecated Use
+	 * {@link #PasswordComparisonAuthenticator(BaseLdapPathContextSource, PasswordEncoder)}
+	 * instead
+	 */
+	@Deprecated(since = "7.1")
+	@SuppressWarnings("deprecation")
 	public PasswordComparisonAuthenticator(BaseLdapPathContextSource contextSource) {
+		this(contextSource, new LdapShaPasswordEncoder(KeyGenerators.shared(0)));
+	}
+
+	public PasswordComparisonAuthenticator(BaseLdapPathContextSource contextSource, PasswordEncoder passwordEncoder) {
 		super(contextSource);
+		Assert.notNull(passwordEncoder, "passwordEncoder must not be null");
+		this.passwordEncoder = passwordEncoder;
 	}
 
 	@Override
diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorMockTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorMockTests.java
index dbf4beae3a..5162fda236 100644
--- a/ldap/src/test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorMockTests.java
+++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorMockTests.java
@@ -35,6 +35,7 @@ import static org.mockito.Mockito.mock;
 /**
  * @author Luke Taylor
  */
+@SuppressWarnings("deprecation")
 public class PasswordComparisonAuthenticatorMockTests {
 
 	@Test