Add new DaoAuthenticationProvider constructor

Add a new constructor to the DaoAuthenticationProvider, which allows
providing a custom PasswordEncoder to prevent instantiation of the
default delegating PasswordEncoder in the default constructor.

This provides a way to instantiate the DaoAuthenticationProvider on JDKs
where the default delegating PasswordEncoder cannot be instantiated due
to limited JCE providers for compliance reasons (e.g., FIPS).

Closes gh-12874

Author: psvo

core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java

@@ -61,7 +61,16 @@ public class DaoAuthenticationProvider extends AbstractUserDetailsAuthentication
 	private UserDetailsPasswordService userDetailsPasswordService;
 
 	public DaoAuthenticationProvider() {
-		setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
+		this(PasswordEncoderFactories.createDelegatingPasswordEncoder());
+	}
+
+	/**
+	 * Creates a new instance using the provided {@link PasswordEncoder}
+	 * @param passwordEncoder the {@link PasswordEncoder} to use. Cannot be null.
+	 * @since 6.0.3
+	 */
+	public DaoAuthenticationProvider(PasswordEncoder passwordEncoder) {
+		setPasswordEncoder(passwordEncoder);
 	}
 
 	@Override

core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java

@@ -441,6 +441,13 @@ public void testUserNotFoundDefaultEncoder() {
 		assertThatExceptionOfType(UsernameNotFoundException.class).isThrownBy(() -> provider.authenticate(token));
 	}
 
+	@Test
+	public void constructWhenPasswordEncoderProvidedThenSets() {
+		DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider(
+				NoOpPasswordEncoder.getInstance());
+		assertThat(daoAuthenticationProvider.getPasswordEncoder()).isSameAs(NoOpPasswordEncoder.getInstance());
+	}
+
 	/**
 	 * This is an explicit test for SEC-2056. It is intentionally ignored since this test
 	 * is not deterministic and {@link #testUserNotFoundEncodesPassword()} ensures that