Improvements

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurer.java

@@ -18,18 +18,17 @@
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
-import org.springframework.security.authentication.password.ChangePasswordAdvice;
 import org.springframework.security.authentication.password.ChangePasswordAdvisor;
 import org.springframework.security.authentication.password.ChangePasswordServiceAdvisor;
 import org.springframework.security.authentication.password.DelegatingChangePasswordAdvisor;
 import org.springframework.security.authentication.password.UserDetailsPasswordManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.web.RequestMatcherRedirectFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.password.ChangeCompromisedPasswordAdvisor;
 import org.springframework.security.web.authentication.password.ChangePasswordAdviceHandler;
 import org.springframework.security.web.authentication.password.ChangePasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.ChangePasswordAdviceSessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.password.ChangePasswordAdvisingFilter;
 import org.springframework.security.web.authentication.password.HttpSessionChangePasswordAdviceRepository;
 import org.springframework.security.web.authentication.password.SimpleChangePasswordAdviceHandler;
@@ -82,8 +81,7 @@ public PasswordManagementConfigurer<B> changePasswordAdviceRepository(
 		return this;
 	}
 
-	public PasswordManagementConfigurer<B> changePasswordAdvisor(
-			ChangePasswordAdvisor changePasswordAdvisor) {
+	public PasswordManagementConfigurer<B> changePasswordAdvisor(ChangePasswordAdvisor changePasswordAdvisor) {
 		this.changePasswordAdvisor = changePasswordAdvisor;
 		return this;
 	}
@@ -115,24 +113,25 @@ public void init(B http) throws Exception {
 				: this.context.getBeanProvider(ChangePasswordAdviceRepository.class)
 					.getIfUnique(HttpSessionChangePasswordAdviceRepository::new);
 
-		ChangePasswordAdvisor changePasswordAdvisor = (this.changePasswordAdvisor != null)
-				? this.changePasswordAdvisor
+		ChangePasswordAdvisor changePasswordAdvisor = (this.changePasswordAdvisor != null) ? this.changePasswordAdvisor
 				: this.context.getBeanProvider(ChangePasswordAdvisor.class)
-					.getIfUnique(() -> DelegatingChangePasswordAdvisor.of(
-							new ChangePasswordServiceAdvisor(passwordManager), new ChangeCompromisedPasswordAdvisor()));
+					.getIfUnique(() -> DelegatingChangePasswordAdvisor
+						.of(new ChangePasswordServiceAdvisor(passwordManager), new ChangeCompromisedPasswordAdvisor()));
 
 		http.setSharedObject(ChangePasswordAdviceRepository.class, changePasswordAdviceRepository);
 		http.setSharedObject(UserDetailsPasswordManager.class, passwordManager);
 
-		FormLoginConfigurer form = http.getConfigurer(FormLoginConfigurer.class);
-		String passwordParameter = (form != null) ? form.getPasswordParameter() : "password";
+		String passwordParameter = "password";
+		FormLoginConfigurer<B> form = http.getConfigurer(FormLoginConfigurer.class);
+		if (form != null) {
+			passwordParameter = form.getPasswordParameter();
+		}
+		ChangePasswordAdviceSessionAuthenticationStrategy sessionAuthenticationStrategy = new ChangePasswordAdviceSessionAuthenticationStrategy(
+				passwordParameter);
+		sessionAuthenticationStrategy.setChangePasswordAdviceRepository(changePasswordAdviceRepository);
+		sessionAuthenticationStrategy.setChangePasswordAdvisor(changePasswordAdvisor);
 		http.getConfigurer(SessionManagementConfigurer.class)
-			.addSessionAuthenticationStrategy((authentication, request, response) -> {
-				UserDetails user = (UserDetails) authentication.getPrincipal();
-				String password = request.getParameter(passwordParameter);
-				ChangePasswordAdvice advice = changePasswordAdvisor.advise(user, password);
-				changePasswordAdviceRepository.savePasswordAdvice(request, response, advice);
-			});
+			.addSessionAuthenticationStrategy(sessionAuthenticationStrategy);
 	}
 
 	/**

config/src/test/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurerTests.java

@@ -19,6 +19,8 @@
 import java.net.URI;
 import java.util.UUID;
 
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -28,7 +30,8 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.authentication.password.ChangePasswordAdvice;
-import org.springframework.security.authentication.password.ChangePasswordReason;
+import org.springframework.security.authentication.password.ChangePasswordAdvisor;
+import org.springframework.security.authentication.password.ChangePasswordReasons;
 import org.springframework.security.authentication.password.SimpleChangePasswordAdvice;
 import org.springframework.security.authentication.password.UserDetailsPasswordManager;
 import org.springframework.security.config.Customizer;
@@ -37,13 +40,16 @@
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
-import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.password.ChangeCompromisedPasswordAdvisor;
+import org.springframework.security.web.authentication.password.ChangePasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.HttpSessionChangePasswordAdviceRepository;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -125,9 +131,8 @@ void whenAdminSetsExpiredAdviceThenUserLoginRedirectsToResetPassword() throws Ex
 		this.mvc.perform(get("/").with(user(admin))).andExpect(status().isOk());
 		// change the password to a test value
 		String random = UUID.randomUUID().toString();
-		this.mvc.perform(post("/change-password").with(csrf()).with(user(admin)).param("newPassword", random))
-			.andExpect(status().isFound())
-			.andExpect(redirectedUrl("/"));
+		this.mvc.perform(post("/change-password").with(csrf()).with(user(admin)).param("password", random))
+			.andExpect(status().isOk());
 		// admin "expires" their own password
 		this.mvc.perform(post("/admin/passwords/expire/admin").with(csrf()).with(user(admin)))
 			.andExpect(status().isCreated());
@@ -144,9 +149,8 @@ void whenAdminSetsExpiredAdviceThenUserLoginRedirectsToResetPassword() throws Ex
 			.andExpect(redirectedUrl("/change-password"));
 		// reset the password to update
 		random = UUID.randomUUID().toString();
-		this.mvc.perform(post("/change-password").with(csrf()).session(session).param("newPassword", random))
-			.andExpect(status().isFound())
-			.andExpect(redirectedUrl("/"));
+		this.mvc.perform(post("/change-password").with(csrf()).session(session).param("password", random))
+			.andExpect(status().isOk());
 		// now we're good
 		this.mvc.perform(get("/").session(session)).andExpect(status().isOk());
 	}
@@ -155,14 +159,14 @@ void whenAdminSetsExpiredAdviceThenUserLoginRedirectsToResetPassword() throws Ex
 	void whenCompromisedThenUserLoginAllowed() throws Exception {
 		this.spring.register(PasswordManagementConfig.class, AdminController.class, HomeController.class).autowire();
 		MvcResult result = this.mvc
-			.perform(post("/login").with(csrf()).param("username", "compromised").param("password", "password"))
+			.perform(post("/login").with(csrf()).param("username", "user").param("password", "password"))
 			.andExpect(status().isFound())
 			.andExpect(redirectedUrl("/"))
 			.andReturn();
 		MockHttpSession session = (MockHttpSession) result.getRequest().getSession();
 		this.mvc.perform(get("/").session(session))
 			.andExpect(status().isOk())
-			.andExpect(content().string(containsString("COMPROMISED")));
+			.andExpect(content().string(containsString("compromised")));
 	}
 
 	@Configuration
@@ -207,8 +211,8 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 					.authorizeHttpRequests((authz) -> authz
-							.requestMatchers("/admin/**").hasRole("ADMIN")
-							.anyRequest().authenticated()
+						.requestMatchers("/admin/**").hasRole("ADMIN")
+						.anyRequest().authenticated()
 					)
 					.formLogin(Customizer.withDefaults())
 					.passwordManagement(Customizer.withDefaults());
@@ -219,8 +223,9 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		@Bean
 		UserDetailsService users() {
 			String adminPassword = UUID.randomUUID().toString();
-			UserDetails compromised = User.withUsername("compromised").password("{noop}password").roles("USER").build();
-			UserDetails admin = User.withUsername("admin").password("{noop}" + adminPassword).roles("ADMIN").build();
+			UserDetails compromised = PasswordEncodedUser.user();
+			UserDetails admin = PasswordEncodedUser.withUserDetails(PasswordEncodedUser.admin())
+					.password(adminPassword).build();
 			return new InMemoryUserDetailsManager(compromised, admin);
 		}
 
@@ -234,11 +239,9 @@ static class AdminController {
 
 		private final UserDetailsPasswordManager passwords;
 
-		private final PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
-
-		AdminController(UserDetailsService users) {
+		AdminController(UserDetailsService users, UserDetailsPasswordManager passwords) {
 			this.users = users;
-			this.passwords = (UserDetailsPasswordManager) users;
+			this.passwords = passwords;
 		}
 
 		@GetMapping("/advice/{username}")
@@ -258,29 +261,48 @@ ResponseEntity<ChangePasswordAdvice> expirePassword(@PathVariable("username") St
 				return ResponseEntity.notFound().build();
 			}
 			ChangePasswordAdvice advice = new SimpleChangePasswordAdvice(ChangePasswordAdvice.Action.MUST_CHANGE,
-					ChangePasswordReason.EXPIRED);
+					ChangePasswordReasons.EXPIRED);
 			this.passwords.savePasswordAdvice(user, advice);
 			URI uri = URI.create("/admin/passwords/advice/" + username);
 			return ResponseEntity.created(uri).body(advice);
 		}
 
-		@PostMapping("/change")
-		ResponseEntity<?> changePassword(@AuthenticationPrincipal UserDetails user,
-				@RequestParam("password") String password) {
-			this.passwords.updatePassword(user, this.encoder.encode(password));
-			return ResponseEntity.ok().build();
-		}
-
 	}
 
 	@RestController
 	static class HomeController {
 
+		private final UserDetailsPasswordManager passwords;
+
+		private final ChangePasswordAdvisor changePasswordAdvisor =
+				new ChangeCompromisedPasswordAdvisor();
+
+		private final ChangePasswordAdviceRepository changePasswordAdviceRepository =
+				new HttpSessionChangePasswordAdviceRepository();
+
+		private final PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
+
+		HomeController(UserDetailsPasswordManager passwords) {
+			this.passwords = passwords;
+		}
+
 		@GetMapping
 		ChangePasswordAdvice index(ChangePasswordAdvice advice) {
 			return advice;
 		}
 
+		@PostMapping("/change-password")
+		ResponseEntity<?> changePassword(@AuthenticationPrincipal UserDetails user,
+				@RequestParam("password") String password, HttpServletRequest request, HttpServletResponse response) {
+			ChangePasswordAdvice advice = this.changePasswordAdvisor.advise(user, password);
+			if (advice.getAction() != ChangePasswordAdvice.Action.ABSTAIN) {
+				return ResponseEntity.badRequest().body(advice);
+			}
+			this.passwords.updatePassword(user, this.encoder.encode(password));
+			this.passwords.removePasswordAdvice(user);
+			this.changePasswordAdviceRepository.removePasswordAdvice(request, response);
+			return ResponseEntity.ok().build();
+		}
 	}
 
 }

core/src/main/java/org/springframework/security/authentication/password/ChangeLengthPasswordAdvisor.java

@@ -41,12 +41,12 @@ public ChangeLengthPasswordAdvisor(int minLength, int maxLength) {
 	@Override
 	public ChangePasswordAdvice advise(UserDetails user, String password) {
 		if (password.length() < this.minLength) {
-			return new SimpleChangePasswordAdvice(this.tooShortAction, ChangePasswordReason.TOO_SHORT);
+			return new SimpleChangePasswordAdvice(this.tooShortAction, ChangePasswordReasons.TOO_SHORT);
 		}
 		if (password.length() > this.maxLength) {
-			return new SimpleChangePasswordAdvice(this.tooLongAction, ChangePasswordReason.TOO_LONG);
+			return new SimpleChangePasswordAdvice(this.tooLongAction, ChangePasswordReasons.TOO_LONG);
 		}
-		return ChangePasswordAdvice.keep();
+		return ChangePasswordAdvice.abstain();
 	}
 
 	public void setTooShortAction(Action tooShortAction) {

core/src/main/java/org/springframework/security/authentication/password/ChangePasswordAdvice.java

@@ -22,15 +22,15 @@ public interface ChangePasswordAdvice {
 
 	Action getAction();
 
-	Collection<ChangePasswordReason> getReasons();
+	Collection<String> getReasons();
 
-	static ChangePasswordAdvice keep() {
-		return SimpleChangePasswordAdvice.KEEP;
+	static ChangePasswordAdvice abstain() {
+		return SimpleChangePasswordAdvice.ABSTAIN;
 	}
 
 	enum Action {
 
-		KEEP, SHOULD_CHANGE, MUST_CHANGE
+		ABSTAIN, SHOULD_CHANGE, MUST_CHANGE
 
 	}
 

core/src/main/java/org/springframework/security/authentication/password/ChangePasswordReasons.java

@@ -0,0 +1,18 @@
+package org.springframework.security.authentication.password;
+
+public interface ChangePasswordReasons {
+
+	String COMPROMISED = "compromised";
+
+	String EXPIRED = "expired";
+
+	String MISSING_CHARACTERS = "missing_characters";
+
+	String REPEATED = "repeated";
+
+	String TOO_LONG = "too_long";
+
+	String TOO_SHORT = "too_short";
+
+	String UNSUPPORTED_CHARACTERS = "unsupported_characters";
+}

core/src/main/java/org/springframework/security/authentication/password/ChangePasswordServiceAdvisor.java

@@ -28,7 +28,8 @@ public ChangePasswordServiceAdvisor(UserDetailsPasswordManager passwordManager)
 
 	@Override
 	public ChangePasswordAdvice advise(UserDetails user, String password) {
-		return this.passwordManager.loadPasswordAdvice(user);
+		ChangePasswordAdvice advice = this.passwordManager.loadPasswordAdvice(user);
+		return (advice != null) ? advice : ChangePasswordAdvice.abstain();
 	}
 
 }

core/src/main/java/org/springframework/security/authentication/password/DelegatingChangePasswordAdvisor.java

@@ -20,58 +20,46 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
-import java.util.Objects;
-import java.util.function.BiFunction;
-import java.util.stream.Stream;
 
 import org.springframework.security.core.userdetails.UserDetails;
 
-public final class DelegatingChangePasswordAdvisor
-		implements ChangePasswordAdvisor {
+public final class DelegatingChangePasswordAdvisor implements ChangePasswordAdvisor {
 
-	private final List<BiFunction<UserDetails, String, ChangePasswordAdvice>> advisors;
+	private final List<ChangePasswordAdvisor> advisors;
 
-	private DelegatingChangePasswordAdvisor(List<BiFunction<UserDetails, String, ChangePasswordAdvice>> advisors) {
+	private DelegatingChangePasswordAdvisor(List<ChangePasswordAdvisor> advisors) {
 		this.advisors = Collections.unmodifiableList(advisors);
 	}
 
 	public static ChangePasswordAdvisor of(ChangePasswordAdvisor... advisors) {
-		return new DelegatingChangePasswordAdvisor(Stream.of(advisors)
-			.map((advisor) -> (BiFunction<UserDetails, String, ChangePasswordAdvice>) advisor::advise)
-			.toList());
+		return new DelegatingChangePasswordAdvisor(List.of(advisors));
 	}
 
 	@Override
 	public ChangePasswordAdvice advise(UserDetails user, String password) {
 		Collection<ChangePasswordAdvice> advice = this.advisors.stream()
-			.map((advisor) -> advisor.apply(user, password))
-			.filter(Objects::nonNull)
+			.map((advisor) -> advisor.advise(user, password))
+			.filter((a) -> a.getAction() != ChangePasswordAdvice.Action.ABSTAIN)
 			.toList();
 		return new CompositeChangePasswordAdvice(advice);
 	}
 
 	private static final class CompositeChangePasswordAdvice implements ChangePasswordAdvice {
 
-		private final Collection<ChangePasswordAdvice> advice;
-
 		private final Action action;
 
-		private final Collection<ChangePasswordReason> reasons;
+		private final Collection<String> reasons;
 
 		private CompositeChangePasswordAdvice(Collection<ChangePasswordAdvice> advice) {
-			this.advice = advice;
-			Action action = Action.KEEP;
-			Collection<ChangePasswordReason> reasons = new ArrayList<>();
+			Action mostUrgentAction = Action.ABSTAIN;
+			Collection<String> reasons = new ArrayList<>();
 			for (ChangePasswordAdvice a : advice) {
-				if (a.getAction() == Action.KEEP) {
-					continue;
-				}
-				if (action.ordinal() < a.getAction().ordinal()) {
-					action = a.getAction();
+				if (mostUrgentAction.ordinal() < a.getAction().ordinal()) {
+					mostUrgentAction = a.getAction();
 				}
 				reasons.addAll(a.getReasons());
 			}
-			this.action = action;
+			this.action = mostUrgentAction;
 			this.reasons = reasons;
 		}
 
@@ -81,7 +69,7 @@ public Action getAction() {
 		}
 
 		@Override
-		public Collection<ChangePasswordReason> getReasons() {
+		public Collection<String> getReasons() {
 			return this.reasons;
 		}