gh-18234: Create SHA-1 MessageDigest for every new check request

Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
2026-02-08 14:34:34 +00:00 · 2025-11-29 16:58:25 +05:30 · 2025-11-29 16:58:25 +05:30 · edd82ba82c
commit edd82ba82c
parent 27f91e03f9
2 changed files with 2 additions and 14 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java
@ -52,18 +52,12 @@ public final class HaveIBeenPwnedRestApiPasswordChecker implements CompromisedPa

 	private final Log logger = LogFactory.getLog(getClass());

-	private final MessageDigest sha1Digest;
-
 	private RestClient restClient = RestClient.builder().baseUrl(API_URL).build();

-	public HaveIBeenPwnedRestApiPasswordChecker() {
-		this.sha1Digest = getSha1Digest();
-	}
-
 	@Override
 	@NonNull
 	public CompromisedPasswordDecision check(String password) {
-		byte[] hash = this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8));
+		byte[] hash = getSha1Digest().digest(password.getBytes(StandardCharsets.UTF_8));
 		String encoded = new String(Hex.encode(hash)).toUpperCase(Locale.ROOT);
 		String prefix = encoded.substring(0, PREFIX_LENGTH);
 		String suffix = encoded.substring(PREFIX_LENGTH);
--- a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java
@ -54,12 +54,6 @@ public class HaveIBeenPwnedRestApiReactivePasswordChecker implements ReactiveCom

 	private WebClient webClient = WebClient.builder().baseUrl(API_URL).build();

-	private final MessageDigest sha1Digest;
-
-	public HaveIBeenPwnedRestApiReactivePasswordChecker() {
-		this.sha1Digest = getSha1Digest();
-	}
-
 	@Override
 	public Mono<CompromisedPasswordDecision> check(String password) {
 		return getHash(password).map((hash) -> new String(Hex.encode(hash)))
@ -95,7 +89,7 @@ public class HaveIBeenPwnedRestApiReactivePasswordChecker implements ReactiveCom
 	}

 	private Mono<byte[]> getHash(String password) {
-		return Mono.fromSupplier(() -> this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8)))
+		return Mono.fromSupplier(() -> getSha1Digest().digest(password.getBytes(StandardCharsets.UTF_8)))
 			.subscribeOn(Schedulers.boundedElastic())
 			.publishOn(Schedulers.parallel());
 	}