Updates

- Update Checkstyle
- Simplify Naming
- Add password action to User and UserDetails

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java

@@ -37,9 +37,9 @@
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.password.ChangePasswordAdviceMethodArgumentResolver;
-import org.springframework.security.web.authentication.password.ChangePasswordAdviceRepository;
-import org.springframework.security.web.authentication.password.HttpSessionChangePasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.HttpSessionPasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.PasswordAdviceMethodArgumentResolver;
+import org.springframework.security.web.authentication.password.PasswordAdviceRepository;
 import org.springframework.security.web.debug.DebugFilter;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.RequestRejectedHandler;
@@ -75,7 +75,7 @@ class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContex
 
 	private AnnotationTemplateExpressionDefaults templateDefaults;
 
-	private ChangePasswordAdviceRepository changePasswordAdviceRepository = new HttpSessionChangePasswordAdviceRepository();
+	private PasswordAdviceRepository passwordAdviceRepository = new HttpSessionPasswordAdviceRepository();
 
 	@Override
 	@SuppressWarnings("deprecation")
@@ -93,8 +93,8 @@ public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentRes
 		currentSecurityContextArgumentResolver.setTemplateDefaults(this.templateDefaults);
 		argumentResolvers.add(currentSecurityContextArgumentResolver);
 		argumentResolvers.add(new CsrfTokenArgumentResolver());
-		ChangePasswordAdviceMethodArgumentResolver resolver = new ChangePasswordAdviceMethodArgumentResolver();
-		resolver.setChangePasswordAdviceRepository(this.changePasswordAdviceRepository);
+		PasswordAdviceMethodArgumentResolver resolver = new PasswordAdviceMethodArgumentResolver();
+		resolver.setPasswordAdviceRepository(this.passwordAdviceRepository);
 		argumentResolvers.add(resolver);
 	}
 
@@ -112,8 +112,8 @@ public void setApplicationContext(ApplicationContext applicationContext) throws
 		if (applicationContext.getBeanNamesForType(AnnotationTemplateExpressionDefaults.class).length == 1) {
 			this.templateDefaults = applicationContext.getBean(AnnotationTemplateExpressionDefaults.class);
 		}
-		if (applicationContext.getBeanNamesForType(ChangePasswordAdviceRepository.class).length == 1) {
-			this.changePasswordAdviceRepository = applicationContext.getBean(ChangePasswordAdviceRepository.class);
+		if (applicationContext.getBeanNamesForType(PasswordAdviceRepository.class).length == 1) {
+			this.passwordAdviceRepository = applicationContext.getBean(PasswordAdviceRepository.class);
 		}
 	}
 
@@ -220,7 +220,7 @@ private static Filter createDoFilterDelegate(List<? extends Filter> filters) {
 
 		/**
 		 * Find the FilterChainProxy in a List of Filter
-		 * @param filters
+		 * @param filterssetChangePass
 		 * @return non-null FilterChainProxy
 		 * @throws IllegalStateException if the FilterChainProxy cannot be found
 		 */

config/src/main/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurer.java

@@ -18,18 +18,15 @@
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
-import org.springframework.security.authentication.password.ChangePasswordAdvisor;
-import org.springframework.security.authentication.password.CompositeChangePasswordAdvisor;
-import org.springframework.security.authentication.password.UserDetailsChangePasswordAdvisor;
-import org.springframework.security.authentication.password.UserDetailsPasswordManager;
+import org.springframework.security.authentication.password.PasswordAdvisor;
+import org.springframework.security.authentication.password.UserDetailsPasswordAdvisor;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.web.RequestMatcherRedirectFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-import org.springframework.security.web.authentication.password.ChangeCompromisedPasswordAdvisor;
-import org.springframework.security.web.authentication.password.ChangePasswordAdviceRepository;
-import org.springframework.security.web.authentication.password.ChangePasswordAdviceSessionAuthenticationStrategy;
-import org.springframework.security.web.authentication.password.ChangePasswordAdvisingFilter;
-import org.springframework.security.web.authentication.password.HttpSessionChangePasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.HttpSessionPasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.PasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.PasswordAdviceSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.password.PasswordAdvisingFilter;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.util.Assert;
@@ -53,11 +50,9 @@ public final class PasswordManagementConfigurer<B extends HttpSecurityBuilder<B>
 
 	private String changePasswordPage = DEFAULT_CHANGE_PASSWORD_PAGE;
 
-	private ChangePasswordAdviceRepository changePasswordAdviceRepository;
+	private PasswordAdviceRepository passwordAdviceRepository;
 
-	private ChangePasswordAdvisor changePasswordAdvisor;
-
-	private UserDetailsPasswordManager userDetailsPasswordManager;
+	private PasswordAdvisor passwordAdvisor;
 
 	/**
 	 * Sets the change password page. Defaults to
@@ -72,55 +67,36 @@ public PasswordManagementConfigurer<B> changePasswordPage(String changePasswordP
 		return this;
 	}
 
-	public PasswordManagementConfigurer<B> changePasswordAdviceRepository(
-			ChangePasswordAdviceRepository changePasswordAdviceRepository) {
-		this.changePasswordAdviceRepository = changePasswordAdviceRepository;
+	public PasswordManagementConfigurer<B> passwordAdviceRepository(PasswordAdviceRepository passwordAdviceRepository) {
+		this.passwordAdviceRepository = passwordAdviceRepository;
 		return this;
 	}
 
-	public PasswordManagementConfigurer<B> changePasswordAdvisor(ChangePasswordAdvisor changePasswordAdvisor) {
-		this.changePasswordAdvisor = changePasswordAdvisor;
-		return this;
-	}
-
-	public PasswordManagementConfigurer<B> userDetailsPasswordManager(
-			UserDetailsPasswordManager userDetailsPasswordManager) {
-		this.userDetailsPasswordManager = userDetailsPasswordManager;
+	public PasswordManagementConfigurer<B> passwordAdvisor(PasswordAdvisor passwordAdvisor) {
+		this.passwordAdvisor = passwordAdvisor;
 		return this;
 	}
 
 	@Override
 	public void init(B http) throws Exception {
-		UserDetailsPasswordManager passwordManager = (this.userDetailsPasswordManager == null)
-				? this.context.getBeanProvider(UserDetailsPasswordManager.class).getIfUnique()
-				: this.userDetailsPasswordManager;
+		PasswordAdviceRepository passwordAdviceRepository = (this.passwordAdviceRepository != null)
+				? this.passwordAdviceRepository : this.context.getBeanProvider(PasswordAdviceRepository.class)
+					.getIfUnique(HttpSessionPasswordAdviceRepository::new);
 
-		if (passwordManager == null) {
-			return;
-		}
+		PasswordAdvisor passwordAdvisor = (this.passwordAdvisor != null) ? this.passwordAdvisor
+				: this.context.getBeanProvider(PasswordAdvisor.class).getIfUnique(UserDetailsPasswordAdvisor::new);
 
-		ChangePasswordAdviceRepository changePasswordAdviceRepository = (this.changePasswordAdviceRepository != null)
-				? this.changePasswordAdviceRepository
-				: this.context.getBeanProvider(ChangePasswordAdviceRepository.class)
-					.getIfUnique(HttpSessionChangePasswordAdviceRepository::new);
-
-		ChangePasswordAdvisor changePasswordAdvisor = (this.changePasswordAdvisor != null) ? this.changePasswordAdvisor
-				: this.context.getBeanProvider(ChangePasswordAdvisor.class)
-					.getIfUnique(() -> CompositeChangePasswordAdvisor.of(new UserDetailsChangePasswordAdvisor(),
-							new ChangeCompromisedPasswordAdvisor()));
-
-		http.setSharedObject(ChangePasswordAdviceRepository.class, changePasswordAdviceRepository);
-		http.setSharedObject(UserDetailsPasswordManager.class, passwordManager);
+		http.setSharedObject(PasswordAdviceRepository.class, passwordAdviceRepository);
 
 		String passwordParameter = "password";
 		FormLoginConfigurer<B> form = http.getConfigurer(FormLoginConfigurer.class);
 		if (form != null) {
 			passwordParameter = form.getPasswordParameter();
 		}
-		ChangePasswordAdviceSessionAuthenticationStrategy sessionAuthenticationStrategy = new ChangePasswordAdviceSessionAuthenticationStrategy(
+		PasswordAdviceSessionAuthenticationStrategy sessionAuthenticationStrategy = new PasswordAdviceSessionAuthenticationStrategy(
 				passwordParameter);
-		sessionAuthenticationStrategy.setChangePasswordAdviceRepository(changePasswordAdviceRepository);
-		sessionAuthenticationStrategy.setChangePasswordAdvisor(changePasswordAdvisor);
+		sessionAuthenticationStrategy.setPasswordAdviceRepository(passwordAdviceRepository);
+		sessionAuthenticationStrategy.setPasswordAdvisor(passwordAdvisor);
 		http.getConfigurer(SessionManagementConfigurer.class)
 			.addSessionAuthenticationStrategy(sessionAuthenticationStrategy);
 	}
@@ -134,12 +110,8 @@ public void configure(B http) throws Exception {
 				getRequestMatcherBuilder().matcher(WELL_KNOWN_CHANGE_PASSWORD_PATTERN), this.changePasswordPage);
 		http.addFilterBefore(postProcess(changePasswordFilter), UsernamePasswordAuthenticationFilter.class);
 
-		if (http.getSharedObject(UserDetailsPasswordManager.class) == null) {
-			return;
-		}
-
-		ChangePasswordAdvisingFilter advising = new ChangePasswordAdvisingFilter(this.changePasswordPage);
-		advising.setChangePasswordAdviceRepository(http.getSharedObject(ChangePasswordAdviceRepository.class));
+		PasswordAdvisingFilter advising = new PasswordAdvisingFilter(this.changePasswordPage);
+		advising.setPasswordAdviceRepository(http.getSharedObject(PasswordAdviceRepository.class));
 		advising.setRequestCache(http.getSharedObject(RequestCache.class));
 		http.addFilterBefore(advising, RequestCacheAwareFilter.class);
 	}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurerTests.java

@@ -29,26 +29,27 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.ResponseEntity;
 import org.springframework.mock.web.MockHttpSession;
-import org.springframework.security.authentication.password.ChangePasswordAdvice;
-import org.springframework.security.authentication.password.ChangePasswordAdvisor;
 import org.springframework.security.authentication.password.PasswordAction;
-import org.springframework.security.authentication.password.UserDetailsPasswordManager;
+import org.springframework.security.authentication.password.PasswordAdvice;
+import org.springframework.security.authentication.password.UpdatePasswordAdvisor;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.provisioning.UserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.password.ChangeCompromisedPasswordAdvisor;
-import org.springframework.security.web.authentication.password.ChangePasswordAdviceRepository;
-import org.springframework.security.web.authentication.password.HttpSessionChangePasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.CompromisedPasswordAdvisor;
+import org.springframework.security.web.authentication.password.HttpSessionPasswordAdviceRepository;
+import org.springframework.security.web.authentication.password.PasswordAdviceRepository;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -155,7 +156,7 @@ void whenAdminSetsExpiredAdviceThenUserLoginRedirectsToResetPassword() throws Ex
 	}
 
 	@Test
-	void whenCompromisedThenUserLoginAllowed() throws Exception {
+	void whenShouldChangeThenUserLoginAllowed() throws Exception {
 		this.spring.register(PasswordManagementConfig.class, AdminController.class, HomeController.class).autowire();
 		MvcResult result = this.mvc
 			.perform(post("/login").with(csrf()).param("username", "user").param("password", "password"))
@@ -165,7 +166,7 @@ void whenCompromisedThenUserLoginAllowed() throws Exception {
 		MockHttpSession session = (MockHttpSession) result.getRequest().getSession();
 		this.mvc.perform(get("/").session(session))
 			.andExpect(status().isOk())
-			.andExpect(content().string(containsString("compromised")));
+			.andExpect(content().string(containsString("SHOULD_CHANGE")));
 	}
 
 	@Configuration
@@ -206,27 +207,26 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 	static class PasswordManagementConfig {
 
 		@Bean
-		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		SecurityFilterChain securityFilterChain(HttpSecurity http, UserDetailsService users) throws Exception {
 			// @formatter:off
 			http
-					.authorizeHttpRequests((authz) -> authz
-						.requestMatchers("/admin/**").hasRole("ADMIN")
-						.anyRequest().authenticated()
-					)
-					.formLogin(Customizer.withDefaults())
-					.passwordManagement(Customizer.withDefaults());
+				.authorizeHttpRequests((authz) -> authz
+					.requestMatchers("/admin/**").hasRole("ADMIN")
+					.anyRequest().authenticated()
+				)
+				.formLogin(Customizer.withDefaults())
+				.passwordManagement(Customizer.withDefaults());
 			// @formatter:on
 			return http.build();
 		}
 
 		@Bean
-		UserDetailsService users() {
-			String adminPassword = UUID.randomUUID().toString();
-			UserDetails compromised = PasswordEncodedUser.user();
-			UserDetails admin = PasswordEncodedUser.withUserDetails(PasswordEncodedUser.admin())
-				.password(adminPassword)
+		InMemoryUserDetailsManager users() {
+			UserDetails shouldChange = User.withUserDetails(PasswordEncodedUser.user())
+				.passwordAction(PasswordAction.SHOULD_CHANGE)
 				.build();
-			return new InMemoryUserDetailsManager(compromised, admin);
+			UserDetails admin = PasswordEncodedUser.admin();
+			return new InMemoryUserDetailsManager(shouldChange, admin);
 		}
 
 	}
@@ -235,13 +235,10 @@ UserDetailsService users() {
 	@RestController
 	static class AdminController {
 
-		private final UserDetailsService users;
-
-		private final UserDetailsPasswordManager passwords;
+		private final UserDetailsManager users;
 
-		AdminController(UserDetailsService users, UserDetailsPasswordManager passwords) {
+		AdminController(InMemoryUserDetailsManager users) {
 			this.users = users;
-			this.passwords = passwords;
 		}
 
 		@GetMapping("/advice/{username}")
@@ -259,7 +256,8 @@ ResponseEntity<PasswordAction> expirePassword(@PathVariable("username") String u
 			if (user == null) {
 				return ResponseEntity.notFound().build();
 			}
-			this.passwords.savePasswordAction(user, PasswordAction.MUST_CHANGE);
+			UserDetails mustChange = User.withUserDetails(user).passwordAction(PasswordAction.MUST_CHANGE).build();
+			this.users.updateUser(mustChange);
 			URI uri = URI.create("/admin/passwords/advice/" + username);
 			return ResponseEntity.created(uri).body(PasswordAction.MUST_CHANGE);
 		}
@@ -269,32 +267,32 @@ ResponseEntity<PasswordAction> expirePassword(@PathVariable("username") String u
 	@RestController
 	static class HomeController {
 
-		private final UserDetailsPasswordManager passwords;
+		private final InMemoryUserDetailsManager passwords;
 
-		private final ChangePasswordAdvisor changePasswordAdvisor = new ChangeCompromisedPasswordAdvisor();
+		private final UpdatePasswordAdvisor passwordAdvisor = new CompromisedPasswordAdvisor();
 
-		private final ChangePasswordAdviceRepository changePasswordAdviceRepository = new HttpSessionChangePasswordAdviceRepository();
+		private final PasswordAdviceRepository passwordAdviceRepository = new HttpSessionPasswordAdviceRepository();
 
 		private final PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
 
-		HomeController(UserDetailsPasswordManager passwords) {
+		HomeController(InMemoryUserDetailsManager passwords) {
 			this.passwords = passwords;
 		}
 
 		@GetMapping
-		ChangePasswordAdvice index(ChangePasswordAdvice advice) {
+		PasswordAdvice index(PasswordAdvice advice) {
 			return advice;
 		}
 
 		@PostMapping("/change-password")
 		ResponseEntity<?> changePassword(@AuthenticationPrincipal UserDetails user,
 				@RequestParam("password") String password, HttpServletRequest request, HttpServletResponse response) {
-			ChangePasswordAdvice advice = this.changePasswordAdvisor.advise(user, password);
+			PasswordAdvice advice = this.passwordAdvisor.advise(user, null, password);
 			if (advice.getAction() != PasswordAction.ABSTAIN) {
 				return ResponseEntity.badRequest().body(advice);
 			}
-			this.passwords.updatePassword(user, this.encoder.encode(password));
-			this.changePasswordAdviceRepository.removePasswordAdvice(request, response);
+			this.passwords.changePassword(null, this.encoder.encode(password));
+			this.passwordAdviceRepository.removePasswordAdvice(request, response);
 			return ResponseEntity.ok().build();
 		}