Polish userNotFoundEncodedPassword

rwinch · rwinch · commit 6ba225b62d9b · 2018-01-24T11:06:08.000-06:00
Ensure that if passwordEncoder is set that userNotFoundEncodedPassword is encoded again if already set. Issue: gh-4915
diff --git a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
@@ -149,6 +149,7 @@ private void mitigateAgainstTimingAttack(UsernamePasswordAuthenticationToken aut
 	public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
 		Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
 		this.passwordEncoder = passwordEncoder;
+		this.userNotFoundEncodedPassword = null;
 	}
 
 	protected PasswordEncoder getPasswordEncoder() {
diff --git a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
@@ -50,6 +50,7 @@
 import org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache;
 import org.springframework.security.core.userdetails.cache.NullUserCache;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
@@ -280,6 +281,35 @@ public void testAuthenticateFailsWithInvalidUsernameAndHideUserNotFoundException
 		}
 	}
 
+	@Test
+	public void testAuthenticateFailsWithInvalidUsernameAndChangePasswordEncoder() {
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
+			"INVALID_USER", "koala");
+
+		DaoAuthenticationProvider provider = createProvider();
+		assertThat(provider.isHideUserNotFoundExceptions()).isTrue();
+		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
+		provider.setUserCache(new MockUserCache());
+
+		try {
+			provider.authenticate(token);
+			fail("Should have thrown BadCredentialsException");
+		}
+		catch (BadCredentialsException expected) {
+
+		}
+
+		provider.setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
+
+		try {
+			provider.authenticate(token);
+			fail("Should have thrown BadCredentialsException");
+		}
+		catch (BadCredentialsException expected) {
+
+		}
+	}
+
 	@Test
 	public void testAuthenticateFailsWithMixedCaseUsernameIfDefaultChanged() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(

Original file line number	Diff line number	Diff line change
`@@ -149,6 +149,7 @@ private void mitigateAgainstTimingAttack(UsernamePasswordAuthenticationToken aut`
`149`	`149`	`public void setPasswordEncoder(PasswordEncoder passwordEncoder) {`
`150`	`150`	`Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");`
`151`	`151`	`this.passwordEncoder = passwordEncoder;`
	`152`	`+ this.userNotFoundEncodedPassword = null;`
`152`	`153`	`}`
`153`	`154`
`154`	`155`	`protected PasswordEncoder getPasswordEncoder() {`