closes gh-14880

Author: abimaelrsergio

crypto/src/main/java/org/springframework/security/crypto/password/DelegatingPasswordEncoder.java

@@ -286,9 +286,17 @@ public String encode(CharSequence rawPassword) {
 		@Override
 		public boolean matches(CharSequence rawPassword, String prefixEncodedPassword) {
 			String id = extractId(prefixEncodedPassword);
+			checkIfStringIsEmptyOrNull(id);
 			throw new IllegalArgumentException("There is no PasswordEncoder mapped for the id \"" + id + "\"");
 		}
 
+		private void checkIfStringIsEmptyOrNull(String string) {
+			if (string == null || string.isEmpty()) {
+				throw new IllegalArgumentException(
+						"You have entered a password with no PasswordEncoder. If that is your intent, it should be prefixed with `{noop}`.");
+			}
+		}
+
 	}
 
 }

crypto/src/test/java/org/springframework/security/crypto/password/DelegatingPasswordEncoderTests.java

@@ -43,6 +43,8 @@
 @ExtendWith(MockitoExtension.class)
 public class DelegatingPasswordEncoderTests {
 
+	public static final String NO_PASSWORD_ENCODER = "You have entered a password with no PasswordEncoder. If that is your intent, it should be prefixed with `{noop}`.";
+
 	@Mock
 	private PasswordEncoder bcrypt;
 
@@ -201,23 +203,23 @@ public void matchesWhenUnMappedThenIllegalArgumentException() {
 	public void matchesWhenNoClosingPrefixStringThenIllegalArgumentException() {
 		assertThatIllegalArgumentException()
 			.isThrownBy(() -> this.passwordEncoder.matches(this.rawPassword, "{bcrypt" + this.rawPassword))
-			.withMessage("There is no PasswordEncoder mapped for the id \"null\"");
+			.withMessage(NO_PASSWORD_ENCODER);
 		verifyNoMoreInteractions(this.bcrypt, this.noop);
 	}
 
 	@Test
 	public void matchesWhenNoStartingPrefixStringThenFalse() {
 		assertThatIllegalArgumentException()
 			.isThrownBy(() -> this.passwordEncoder.matches(this.rawPassword, "bcrypt}" + this.rawPassword))
-			.withMessage("There is no PasswordEncoder mapped for the id \"null\"");
+			.withMessage(NO_PASSWORD_ENCODER);
 		verifyNoMoreInteractions(this.bcrypt, this.noop);
 	}
 
 	@Test
 	public void matchesWhenNoIdStringThenFalse() {
 		assertThatIllegalArgumentException()
 			.isThrownBy(() -> this.passwordEncoder.matches(this.rawPassword, "{}" + this.rawPassword))
-			.withMessage("There is no PasswordEncoder mapped for the id \"\"");
+			.withMessage(NO_PASSWORD_ENCODER);
 		verifyNoMoreInteractions(this.bcrypt, this.noop);
 	}
 
@@ -226,7 +228,7 @@ public void matchesWhenPrefixInMiddleThenFalse() {
 		assertThatIllegalArgumentException()
 			.isThrownBy(() -> this.passwordEncoder.matches(this.rawPassword, "invalid" + this.bcryptEncodedPassword))
 			.isInstanceOf(IllegalArgumentException.class)
-			.withMessage("There is no PasswordEncoder mapped for the id \"null\"");
+			.withMessage(NO_PASSWORD_ENCODER);
 		verifyNoMoreInteractions(this.bcrypt, this.noop);
 	}
 
@@ -236,7 +238,7 @@ public void matchesWhenIdIsNullThenFalse() {
 		DelegatingPasswordEncoder passwordEncoder = new DelegatingPasswordEncoder(this.bcryptId, this.delegates);
 		assertThatIllegalArgumentException()
 			.isThrownBy(() -> passwordEncoder.matches(this.rawPassword, this.rawPassword))
-			.withMessage("There is no PasswordEncoder mapped for the id \"null\"");
+			.withMessage(NO_PASSWORD_ENCODER);
 		verifyNoMoreInteractions(this.bcrypt, this.noop);
 	}
 
@@ -289,4 +291,14 @@ public void upgradeEncodingWhenDifferentIdThenTrue() {
 		verifyNoMoreInteractions(this.bcrypt);
 	}
 
+	@Test
+	void matchesShouldThrowIllegalArgumentExceptionWhenNoPasswordEncoderIsMappedForTheId() {
+		assertThatIllegalArgumentException()
+			.isThrownBy(() -> this.passwordEncoder.matches("rawPassword", "prefixEncodedPassword"))
+			.isInstanceOf(IllegalArgumentException.class)
+			.withMessage(NO_PASSWORD_ENCODER);
+		verifyNoMoreInteractions(this.bcrypt, this.noop);
+
+	}
+
 }