Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 13:23:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Defer SecureRandom Construction Until Usage

Browse Source 
Issue gh-17824

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
This commit is contained in:
Josh Cummings
2026-04-07 16:09:27 -06:00
parent c21fc6c433
commit 229eb3ea46
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
+8 -3
View File
@@ -17,6 +17,7 @@
package org.springframework.security.crypto.bcrypt;
import java.security.SecureRandom;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -44,7 +45,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
private final BCryptVersion version;
private final SecureRandom random;
private final Supplier<SecureRandom> random;
public BCryptPasswordEncoder() {
this(-1);
@@ -99,7 +100,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
}
this.version = version;
this.strength = (strength == -1) ? 10 : strength;
this.random = (random != null) ? random : SecureRandomHolder.INSTANCE;
this.random = (random != null) ? () -> random : SecureRandomHolder::getInstance;
}
@Override
@@ -109,7 +110,7 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
}
private String getSalt() {
return BCrypt.gensalt(this.version.getVersion(), this.strength, this.random);
return BCrypt.gensalt(this.version.getVersion(), this.strength, this.random.get());
}
@Override
@@ -160,6 +161,10 @@ public class BCryptPasswordEncoder extends AbstractValidatingPasswordEncoder {
private static final SecureRandom INSTANCE = new SecureRandom();
private static SecureRandom getInstance() {
return INSTANCE;
}
}
}