You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Creating instance of DaoAuthenticationProvider fails due to "PBKDF2WithHmacSHA256 SecretKeyFactory not available" when running on RHEL 8.7 with enforced FIPS mode.
The problem is that the DaoAuthenticationProvider creates a default delegating password encoder and one of the delegates fails to instantiate due to limited JCE provider availability when FIPS is enforced.
There's no workaround, because the DaoAuthenticationProvider has only the default constructor which fails due to unconditionally calling org.springframework.security.crypto.factory.PasswordEncoderFactories#createDelegatingPasswordEncoder.
The error is:
org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.authentication.dao.DaoAuthenticationProvider]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Invalid algorithm 'PBKDF2WithHmacSHA256'.
... more
Caused by: java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA256 SecretKeyFactory not available
at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122) ~[?:?]
at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:168) ~[?:?]
at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.setAlgorithm(Pbkdf2PasswordEncoder.java:226) ~[spring-security-crypto-5.8.2.jar:5.8.2]
at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.<init>(Pbkdf2PasswordEncoder.java:179) ~[spring-security-crypto-5.8.2.jar:5.8.2]
at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8(Pbkdf2PasswordEncoder.java:207) ~[spring-security-crypto-5.8.2.jar:5.8.2]
at org.springframework.security.crypto.factory.PasswordEncoderFactories.createDelegatingPasswordEncoder(PasswordEncoderFactories.java:81) ~[spring-security-crypto-5.8.2.jar:5.8.2]
at org.springframework.security.authentication.dao.DaoAuthenticationProvider.<init>(DaoAuthenticationProvider.java:64) ~[spring-security-core-5.8.2.jar:5.8.2]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
... more
This is a regression in 5.8.2. It worked for us in Spring Security 5.7.4, because we were overwriting the default password encoder before it tried to retrieve the algorithm.
The issue was most probably introduced by PR #11904 (c50441b) as a fix for issue #10489.
To Reproduce
Write an application using DaoAuthenticationProvider from Spring Security 5.8.2.
Run the application on RHEL 8.7 with enforced FIPS mode for JDK 11.
Expected behavior
Be able to use DaoAuthenticationProvider on RHEL 8.7 with enforced FIPS mode for JDK 11.
Allow providing a custom PasswordEncoder when instantiating DaoAuthenticationProvider to bypass the instantiation of the default delegating password encoder (PasswordEncoderFactories#createDelegatingPasswordEncoder).
The text was updated successfully, but these errors were encountered:
Add a new constructor to the DaoAuthenticationProvider, which allows
providing a custom PasswordEncoder to prevent instantiation of the
default delegating PasswordEncoder in the default constructor.
This provides a way to instantiate the DaoAuthenticationProvider on JDKs
where the default delegating PasswordEncoder cannot be instantiated due
to limited JCE providers for compliance reasons (e.g., FIPS).
Closesspring-projectsgh-12873
Thanks, @psvo, this is now fixed in 5.8.x via d5603a9. That commit adds a guard around the new algorithm added and prevents an application from breaking.
Please if you can test the SNAPSHOT it would be great to have feedback if it is working fine before the GA.
Describe the bug
Creating instance of DaoAuthenticationProvider fails due to "PBKDF2WithHmacSHA256 SecretKeyFactory not available" when running on RHEL 8.7 with enforced FIPS mode.
The problem is that the DaoAuthenticationProvider creates a default delegating password encoder and one of the delegates fails to instantiate due to limited JCE provider availability when FIPS is enforced.
There's no workaround, because the DaoAuthenticationProvider has only the default constructor which fails due to unconditionally calling
org.springframework.security.crypto.factory.PasswordEncoderFactories#createDelegatingPasswordEncoder
.The error is:
This is a regression in 5.8.2. It worked for us in Spring Security 5.7.4, because we were overwriting the default password encoder before it tried to retrieve the algorithm.
The issue was most probably introduced by PR #11904 (c50441b) as a fix for issue #10489.
To Reproduce
Expected behavior
Be able to use DaoAuthenticationProvider on RHEL 8.7 with enforced FIPS mode for JDK 11.
Allow providing a custom PasswordEncoder when instantiating DaoAuthenticationProvider to bypass the instantiation of the default delegating password encoder (PasswordEncoderFactories#createDelegatingPasswordEncoder).
The text was updated successfully, but these errors were encountered: