Skip to content

Commit

Permalink
Polish userNotFoundEncodedPassword
Browse files Browse the repository at this point in the history 
Ensure that if passwordEncoder is set that userNotFoundEncodedPassword
is encoded again if already set.

Issue: gh-4915
  • Loading branch information
@rwinch
rwinch committed Jan 24, 2018
1 parent fd78d05 commit 6ba225b
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 0 deletions.
1 change: 1 addition & 0 deletions .../main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ private void mitigateAgainstTimingAttack(UsernamePasswordAuthenticationToken aut
public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
this.passwordEncoder = passwordEncoder;
this.userNotFoundEncodedPassword = null;
}

protected PasswordEncoder getPasswordEncoder() {
Expand Down
30 changes: 30 additions & 0 deletions .../java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
import org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache;
import org.springframework.security.core.userdetails.cache.NullUserCache;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

Expand Down Expand Up @@ -280,6 +281,35 @@ public void testAuthenticateFailsWithInvalidUsernameAndHideUserNotFoundException
}
}

@Test
public void testAuthenticateFailsWithInvalidUsernameAndChangePasswordEncoder() {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
"INVALID_USER", "koala");

DaoAuthenticationProvider provider = createProvider();
assertThat(provider.isHideUserNotFoundExceptions()).isTrue();
provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
provider.setUserCache(new MockUserCache());

try {
provider.authenticate(token);
fail("Should have thrown BadCredentialsException");
}
catch (BadCredentialsException expected) {

}

provider.setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());

try {
provider.authenticate(token);
fail("Should have thrown BadCredentialsException");
}
catch (BadCredentialsException expected) {

}
}

@Test
public void testAuthenticateFailsWithMixedCaseUsernameIfDefaultChanged() {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
Expand Down

0 comments on commit 6ba225b

Please sign in to comment.