Polish userNotFoundEncodedPassword

Ensure that if passwordEncoder is set that userNotFoundEncodedPassword is encoded again if already set. Issue: gh-4915
8 years ago · 6ba225b62d
2 changed files with 31 additions and 0 deletions
--- a/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java
@ -149,6 +149,7 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
				@@ -149,6 +149,7 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
 	public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
 		Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
 		this.passwordEncoder = passwordEncoder;
+		this.userNotFoundEncodedPassword = null;
 	}

 	protected PasswordEncoder getPasswordEncoder() {
--- a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
@ -50,6 +50,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
				@@ -50,6 +50,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache;
 import org.springframework.security.core.userdetails.cache.NullUserCache;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;

@ -280,6 +281,35 @@ public class DaoAuthenticationProviderTests {
				@@ -280,6 +281,35 @@ public class DaoAuthenticationProviderTests {
 		}
 	}

+	@Test
+	public void testAuthenticateFailsWithInvalidUsernameAndChangePasswordEncoder() {
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
+			"INVALID_USER", "koala");
+
+		DaoAuthenticationProvider provider = createProvider();
+		assertThat(provider.isHideUserNotFoundExceptions()).isTrue();
+		provider.setUserDetailsService(new MockAuthenticationDaoUserrod());
+		provider.setUserCache(new MockUserCache());
+
+		try {
+			provider.authenticate(token);
+			fail("Should have thrown BadCredentialsException");
+		}
+		catch (BadCredentialsException expected) {
+
+		}
+
+		provider.setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
+
+		try {
+			provider.authenticate(token);
+			fail("Should have thrown BadCredentialsException");
+		}
+		catch (BadCredentialsException expected) {
+
+		}
+	}
+
 	@Test
 	public void testAuthenticateFailsWithMixedCaseUsernameIfDefaultChanged() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(