Skip to content

DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873

New issue
New issue
Closed
Closed
DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode#12873
Assignees
marcusdacoregio
Labels
in: cryptoAn issue in spring-security-cryptotype: bugA general bug
Milestone
 
5.8.3
@psvo

Description

@psvo
psvo
opened on Mar 16, 2023
Contributor

Describe the bug

Creating instance of DaoAuthenticationProvider fails due to "PBKDF2WithHmacSHA256 SecretKeyFactory not available" when running on RHEL 8.7 with enforced FIPS mode.

The problem is that the DaoAuthenticationProvider creates a default delegating password encoder and one of the delegates fails to instantiate due to limited JCE provider availability when FIPS is enforced.

There's no workaround, because the DaoAuthenticationProvider has only the default constructor which fails due to unconditionally calling org.springframework.security.crypto.factory.PasswordEncoderFactories#createDelegatingPasswordEncoder.

The error is:

org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.authentication.dao.DaoAuthenticationProvider]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Invalid algorithm 'PBKDF2WithHmacSHA256'.
	... more
Caused by: java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA256 SecretKeyFactory not available
	at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122) ~[?:?]
	at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:168) ~[?:?]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.setAlgorithm(Pbkdf2PasswordEncoder.java:226) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.<init>(Pbkdf2PasswordEncoder.java:179) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8(Pbkdf2PasswordEncoder.java:207) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.factory.PasswordEncoderFactories.createDelegatingPasswordEncoder(PasswordEncoderFactories.java:81) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.authentication.dao.DaoAuthenticationProvider.<init>(DaoAuthenticationProvider.java:64) ~[spring-security-core-5.8.2.jar:5.8.2]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	... more

This is a regression in 5.8.2. It worked for us in Spring Security 5.7.4, because we were overwriting the default password encoder before it tried to retrieve the algorithm.

The issue was most probably introduced by PR #11904 (c50441b) as a fix for issue #10489.

To Reproduce

  1. Write an application using DaoAuthenticationProvider from Spring Security 5.8.2.
  2. Run the application on RHEL 8.7 with enforced FIPS mode for JDK 11.

Expected behavior

Be able to use DaoAuthenticationProvider on RHEL 8.7 with enforced FIPS mode for JDK 11.

Allow providing a custom PasswordEncoder when instantiating DaoAuthenticationProvider to bypass the instantiation of the default delegating password encoder (PasswordEncoderFactories#createDelegatingPasswordEncoder).

Activity

psvo
added
status: waiting-for-triageAn issue we've not yet triaged
type: bugA general bug
on Mar 16, 2023
psvo
mentioned this on Mar 16, 2023
marcusdacoregio
assigned
rwinch
on Mar 22, 2023
marcusdacoregio
assigned
marcusdacoregio
and unassigned
rwinch
on Mar 30, 2023
marcusdacoregio
added
in: coreAn issue in spring-security-core
and removed
status: waiting-for-triageAn issue we've not yet triaged
on Mar 31, 2023
marcusdacoregio
added this to the 5.8.3 milestone on Apr 4, 2023
marcusdacoregio
added
in: cryptoAn issue in spring-security-crypto
and removed
in: coreAn issue in spring-security-core
on Apr 4, 2023
marcusdacoregio

marcusdacoregio commented on Apr 4, 2023

@marcusdacoregio
marcusdacoregio
on Apr 4, 2023
Contributor

Thanks, @psvo, this is now fixed in 5.8.x via d5603a9. That commit adds a guard around the new algorithm added and prevents an application from breaking.

Please if you can test the SNAPSHOT it would be great to have feedback if it is working fine before the GA.

The new constructor was added to 6.0.x via #12874

marcusdacoregio
closed this as completedon Apr 4, 2023
psvo

psvo commented on Apr 12, 2023

@psvo
psvo
on Apr 12, 2023
ContributorAuthor

Please if you can test the SNAPSHOT it would be great to have feedback if it is working fine before the GA.

@marcusdacoregio, I can confirm the fix merged to 5.8.3-SNAPSHOT works for me. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

in: cryptoAn issue in spring-security-cryptotype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @rwinch@psvo@marcusdacoregio

      Issue actions
        DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode · Issue #12873 · spring-projects/spring-security