Description
Describe the bug
Creating instance of DaoAuthenticationProvider fails due to "PBKDF2WithHmacSHA256 SecretKeyFactory not available" when running on RHEL 8.7 with enforced FIPS mode.
The problem is that the DaoAuthenticationProvider creates a default delegating password encoder and one of the delegates fails to instantiate due to limited JCE provider availability when FIPS is enforced.
There's no workaround, because the DaoAuthenticationProvider has only the default constructor which fails due to unconditionally calling org.springframework.security.crypto.factory.PasswordEncoderFactories#createDelegatingPasswordEncoder.
The error is:
org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.authentication.dao.DaoAuthenticationProvider]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Invalid algorithm 'PBKDF2WithHmacSHA256'.
... more
Caused by: java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA256 SecretKeyFactory not available
at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122) ~[?:?]
at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:168) ~[?:?]
at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.setAlgorithm(Pbkdf2PasswordEncoder.java:226) ~[spring-security-crypto-5.8.2.jar:5.8.2]
at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.<init>(Pbkdf2PasswordEncoder.java:179) ~[spring-security-crypto-5.8.2.jar:5.8.2]
at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8(Pbkdf2PasswordEncoder.java:207) ~[spring-security-crypto-5.8.2.jar:5.8.2]
at org.springframework.security.crypto.factory.PasswordEncoderFactories.createDelegatingPasswordEncoder(PasswordEncoderFactories.java:81) ~[spring-security-crypto-5.8.2.jar:5.8.2]
at org.springframework.security.authentication.dao.DaoAuthenticationProvider.<init>(DaoAuthenticationProvider.java:64) ~[spring-security-core-5.8.2.jar:5.8.2]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
... more
This is a regression in 5.8.2. It worked for us in Spring Security 5.7.4, because we were overwriting the default password encoder before it tried to retrieve the algorithm.
The issue was most probably introduced by PR #11904 (c50441b) as a fix for issue #10489.
To Reproduce
- Write an application using DaoAuthenticationProvider from Spring Security 5.8.2.
- Run the application on RHEL 8.7 with enforced FIPS mode for JDK 11.
Expected behavior
Be able to use DaoAuthenticationProvider on RHEL 8.7 with enforced FIPS mode for JDK 11.
Allow providing a custom PasswordEncoder when instantiating DaoAuthenticationProvider to bypass the instantiation of the default delegating password encoder (PasswordEncoderFactories#createDelegatingPasswordEncoder).