From 229eb3ea46523b51031e0bb83815c18e98a909a9 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Tue, 7 Apr 2026 16:09:27 -0600
Subject: [PATCH] Defer SecureRandom Construction Until Usage

Issue gh-17824

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
---
 .../security/crypto/bcrypt/BCryptPasswordEncoder.java | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
index 10e8322be8..95199a1fbc 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
@@ -17,6 +17,7 @@
 package org.springframework.security.crypto.bcrypt;
 
 import java.security.SecureRandom;
+import java.util.function.Supplier;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -44,7 +45,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 
 	private final BCryptVersion version;
 
-	private final SecureRandom random;
+	private final Supplier<SecureRandom> random;
 
 	public BCryptPasswordEncoder() {
 		this(-1);
@@ -99,7 +100,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 		}
 		this.version = version;
 		this.strength = (strength == -1) ? 10 : strength;
-		this.random = (random != null) ? random : SecureRandomHolder.INSTANCE;
+		this.random = (random != null) ? () -> random : SecureRandomHolder::getInstance;
 	}
 
 	@Override
@@ -109,7 +110,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 	}
 
 	private String getSalt() {
-		return BCrypt.gensalt(this.version.getVersion(), this.strength, this.random);
+		return BCrypt.gensalt(this.version.getVersion(), this.strength, this.random.get());
 	}
 
 	@Override
@@ -160,6 +161,10 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
 
 		private static final SecureRandom INSTANCE = new SecureRandom();
 
+		private static SecureRandom getInstance() {
+			return INSTANCE;
+		}
+
 	}
 
 }