Use Static Holder

By using a static holder, we can leave method contracts
as-is and still maintain the performance benefit.

Issue gh-17824

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>

crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java

@@ -716,12 +716,7 @@ public class BCrypt {
 	 * factor therefore increases as 2**log_rounds.
 	 * @return an encoded salt value
 	 * @exception IllegalArgumentException if prefix or log_rounds is invalid
-	 * @deprecated since 6.4 in favor of {@link #gensalt(String, int, SecureRandom)}.
-	 * Creating a new {@code SecureRandom} instance on every invocation incurs significant
-	 * performance overhead. Use {@link #gensalt(String, int, SecureRandom)} with a reusable
-	 * {@code SecureRandom} instance instead.
 	 */
-	@Deprecated(since = "6.4", forRemoval = false)
 	public static String gensalt(String prefix, int log_rounds) throws IllegalArgumentException {
 		return gensalt(prefix, log_rounds, new SecureRandom());
 	}
@@ -744,12 +739,7 @@ public class BCrypt {
 	 * factor therefore increases as 2**log_rounds.
 	 * @return an encoded salt value
 	 * @exception IllegalArgumentException if log_rounds is invalid
-	 * @deprecated since 6.4 in favor of {@link #gensalt(int, SecureRandom)}.
-	 * Creating a new {@code SecureRandom} instance on every invocation incurs significant
-	 * performance overhead. Use {@link #gensalt(int, SecureRandom)} with a reusable
-	 * {@code SecureRandom} instance instead.
 	 */
-	@Deprecated(since = "6.4", forRemoval = false)
 	public static String gensalt(int log_rounds) throws IllegalArgumentException {
 		return gensalt(log_rounds, new SecureRandom());
 	}

crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java

@@ -44,24 +44,24 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 
 	private final BCryptVersion version;
 
-	private final @Nullable SecureRandom random;
+	private final SecureRandom random;
 
 	public BCryptPasswordEncoder() {
-		this(-1, new SecureRandom());
+		this(-1);
 	}
 
 	/**
 	 * @param strength the log rounds to use, between 4 and 31
 	 */
 	public BCryptPasswordEncoder(int strength) {
-		this(strength, new SecureRandom());
+		this(strength, null);
 	}
 
 	/**
 	 * @param version the version of bcrypt, can be 2a,2b,2y
 	 */
 	public BCryptPasswordEncoder(BCryptVersion version) {
-		this(version, new SecureRandom());
+		this(version, null);
 	}
 
 	/**
@@ -85,7 +85,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 	 * @param strength the log rounds to use, between 4 and 31
 	 */
 	public BCryptPasswordEncoder(BCryptVersion version, int strength) {
-		this(version, strength, new SecureRandom());
+		this(version, strength, null);
 	}
 
 	/**
@@ -99,7 +99,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 		}
 		this.version = version;
 		this.strength = (strength == -1) ? 10 : strength;
-		this.random = random;
+		this.random = (random != null) ? random : SecureRandomHolder.INSTANCE;
 	}
 
 	@Override
@@ -109,10 +109,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 	}
 
 	private String getSalt() {
-		if (this.random != null) {
-			return BCrypt.gensalt(this.version.getVersion(), this.strength, this.random);
-		}
-		return BCrypt.gensalt(this.version.getVersion(), this.strength);
+		return BCrypt.gensalt(this.version.getVersion(), this.strength, this.random);
 	}
 
 	@Override
@@ -159,4 +156,10 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 
 	}
 
+	private static final class SecureRandomHolder {
+
+		private static final SecureRandom INSTANCE = new SecureRandom();
+
+	}
+
 }