Add new DaoAuthenticationProvider constructor #12874
Conversation
Add a new constructor to the DaoAuthenticationProvider, which allows providing a custom PasswordEncoder to prevent instantiation of the default delegating PasswordEncoder in the default constructor. This provides a way to instantiate the DaoAuthenticationProvider on JDKs where the default delegating PasswordEncoder cannot be instantiated due to limited JCE providers for compliance reasons (e.g., FIPS). Closes spring-projectsgh-12873
spring-projects-issues
added
the
status: waiting-for-triage
marcusdacoregio
added
status: duplicate
There was a problem hiding this comment.
Hi @psvo, thank you for the PR.
This problem seems to be introduced in 5.8.x, therefore I think that the target branch should be 5.8.x. Additionally, the 5.6.x branch is not supported anymore.
| this(PasswordEncoderFactories.createDelegatingPasswordEncoder()); | ||
| } | ||
|
|
||
| public DaoAuthenticationProvider(PasswordEncoder passwordEncoder) { |
There was a problem hiding this comment.
Can you add a test where it makes sure that the provided PasswordEncoder is used?
| setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder()); | ||
| this(PasswordEncoderFactories.createDelegatingPasswordEncoder()); | ||
| } | ||
|
|
There was a problem hiding this comment.
I think that it would be great to add a little bit of javadoc here, with a little description and the @since 5.8.3 tag
|
@psvo I was discussing this with a team member and we don't think adding a new constructor to a patch release will improve things. Since that change broke existing applications, we should aim to keep the behavior as before (do not throw an exception for the new encoders). A new constructor could be added for 6.1, the next minor release, and we should provide a bug fix for 5.8.x and 6.0.x. That said, please hold the changes until we are 100% sure what to do here. |
Ok |
marcusdacoregio
added
type: enhancement
Add a new constructor to the DaoAuthenticationProvider, which allows providing a custom PasswordEncoder to prevent instantiation of the default delegating PasswordEncoder in the default constructor.
This provides a way to instantiate the DaoAuthenticationProvider on JDKs where the default delegating PasswordEncoder cannot be instantiated due to limited JCE providers for compliance reasons (e.g., FIPS).
Closes gh-12873
@pivotal-cla This is an Obvious Fix