Skip to content

Fix: client secret re-encoding#3962

Closed
jochenehret wants to merge 1 commit into
cloudfoundry:developfrom
jochenehret:fix_bcrypt_regression
Closed

Fix: client secret re-encoding#3962
jochenehret wants to merge 1 commit into
cloudfoundry:developfrom
jochenehret:fix_bcrypt_regression

Conversation

@jochenehret

@jochenehret jochenehret commented Jun 24, 2026

Copy link
Copy Markdown

Spring Security 7's BCryptPasswordEncoder now extends AbstractValidatingPasswordEncoder, which returns false from matches() when rawPassword is empty. ClientAdminBootstrap calls nonCachingPasswordEncoder.matches("", storedHash) to check whether a client's secret has changed; for clients with an empty secret (e.g. the CF CLI cf client) this now always returns false, causing a new BCrypt hash to be written to the DB on every UAA startup.

Note: This PR has been AI-generated. It resolves the issue we currently have with the BOSH disaster-recovery-acceptance-tests ("failed to verify token with uaa"):
https://concourse.wg-ard.ci.cloudfoundry.org/teams/main/pipelines/cf-deployment/jobs/bbr-run-drats/builds/2453

I cannot judge however if the fix is conceptually correct. Please review carefully.

…nts on startup

Spring Security 7's BCryptPasswordEncoder now extends AbstractValidatingPasswordEncoder,
which returns false from matches() when rawPassword is empty. ClientAdminBootstrap calls
nonCachingPasswordEncoder.matches("", storedHash) to check whether a client's secret has
changed; for clients with an empty secret (e.g. the CF CLI `cf` client) this now always
returns false, causing a new BCrypt hash to be written to the DB on every UAA startup.
@jochenehret jochenehret changed the title Fix: prevent spurious client secret re-encoding for empty-secret clie… Fix: client secret re-encoding Jun 24, 2026
@strehle strehle requested a review from Copilot June 24, 2026 16:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@duanemay

Copy link
Copy Markdown
Member

I am also out of Copilot quota

@strehle strehle requested a review from a team June 25, 2026 09:09
@strehle strehle marked this pull request as ready for review June 25, 2026 09:09
@strehle

strehle commented Jun 25, 2026

Copy link
Copy Markdown
Member

FYI.
#3965

@duanemay

Copy link
Copy Markdown
Member

We are going with #3965

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

4 participants