Description
Rob Winch (Migrated from SEC-2566) said:
After verifying a user's password successfully check to see if the format the password was stored in is up to date. If not, upgrade the storage of the password.
A developer can ensure that passwords that need to be upgraded are now upgraded on authentication success by exposing a UserDetailsPasswordService as a Bean.
The changes for this ticket include:
- PasswordEncoder.upgradeEncoding allows checking to see if a password should be upgraded
- Passwords can be upgraded using UserDetailsPasswordService and ReactiveUserDetailsPasswordService. Both
InMemoryUserDetailsManagerandMapReactiveUserDetailsServicenow implement these interfaces. DaoAuthenticationProviderandUserDetailsRepositoryReactiveAuthenticationManagercan have aUserDetailsPasswordServiceorReactiveUserDetailsPasswordServiceinjected which on authentication success will trigger the password to be upgraded if thePasswordEncoder.upgradeEncodingreturnstrue.
NOTE: JdbcUserDetailsManager and LdapUserDetailsManager do not implement UserDetailsPasswordService because they would then try to upgrade the passwords automatically which would potentially cause user's production code to break. For example, encoding the password is likely to cause the password to be too large to fit into the default schema. Another example is if the user has custom queries for the user and do not plan on using it for updates, they may not have set the update sql which means updating would break log in (which might try to log in).