DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873

psvo · 2023-03-16T13:45:01Z

Describe the bug

Creating instance of DaoAuthenticationProvider fails due to "PBKDF2WithHmacSHA256 SecretKeyFactory not available" when running on RHEL 8.7 with enforced FIPS mode.

The problem is that the DaoAuthenticationProvider creates a default delegating password encoder and one of the delegates fails to instantiate due to limited JCE provider availability when FIPS is enforced.

There's no workaround, because the DaoAuthenticationProvider has only the default constructor which fails due to unconditionally calling org.springframework.security.crypto.factory.PasswordEncoderFactories#createDelegatingPasswordEncoder.

The error is:

org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.authentication.dao.DaoAuthenticationProvider]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Invalid algorithm 'PBKDF2WithHmacSHA256'.
	... more
Caused by: java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA256 SecretKeyFactory not available
	at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122) ~[?:?]
	at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:168) ~[?:?]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.setAlgorithm(Pbkdf2PasswordEncoder.java:226) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.<init>(Pbkdf2PasswordEncoder.java:179) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8(Pbkdf2PasswordEncoder.java:207) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.crypto.factory.PasswordEncoderFactories.createDelegatingPasswordEncoder(PasswordEncoderFactories.java:81) ~[spring-security-crypto-5.8.2.jar:5.8.2]
	at org.springframework.security.authentication.dao.DaoAuthenticationProvider.<init>(DaoAuthenticationProvider.java:64) ~[spring-security-core-5.8.2.jar:5.8.2]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	... more

This is a regression in 5.8.2. It worked for us in Spring Security 5.7.4, because we were overwriting the default password encoder before it tried to retrieve the algorithm.

The issue was most probably introduced by PR #11904 (c50441b) as a fix for issue #10489.

To Reproduce

Write an application using DaoAuthenticationProvider from Spring Security 5.8.2.
Run the application on RHEL 8.7 with enforced FIPS mode for JDK 11.

Expected behavior

Be able to use DaoAuthenticationProvider on RHEL 8.7 with enforced FIPS mode for JDK 11.

Allow providing a custom PasswordEncoder when instantiating DaoAuthenticationProvider to bypass the instantiation of the default delegating password encoder (PasswordEncoderFactories#createDelegatingPasswordEncoder).

The text was updated successfully, but these errors were encountered:

Add a new constructor to the DaoAuthenticationProvider, which allows providing a custom PasswordEncoder to prevent instantiation of the default delegating PasswordEncoder in the default constructor. This provides a way to instantiate the DaoAuthenticationProvider on JDKs where the default delegating PasswordEncoder cannot be instantiated due to limited JCE providers for compliance reasons (e.g., FIPS). Closes spring-projectsgh-12873

Closes spring-projectsgh-12873

Issue gh-12873

marcusdacoregio · 2023-04-04T13:24:50Z

Thanks, @psvo, this is now fixed in 5.8.x via d5603a9. That commit adds a guard around the new algorithm added and prevents an application from breaking.

Please if you can test the SNAPSHOT it would be great to have feedback if it is working fine before the GA.

The new constructor was added to 6.0.x via #12874

psvo · 2023-04-12T12:49:28Z

Please if you can test the SNAPSHOT it would be great to have feedback if it is working fine before the GA.

@marcusdacoregio, I can confirm the fix merged to 5.8.3-SNAPSHOT works for me. Thank you!

psvo added status: waiting-for-triage type: bug labels Mar 16, 2023

psvo mentioned this issue Mar 16, 2023

Add new DaoAuthenticationProvider constructor #12874

Closed

marcusdacoregio assigned rwinch Mar 22, 2023

marcusdacoregio assigned marcusdacoregio and unassigned rwinch Mar 30, 2023

marcusdacoregio added this to Spring Security Team Mar 30, 2023

marcusdacoregio added in: core and removed status: waiting-for-triage labels Mar 31, 2023

marcusdacoregio moved this to Done in Spring Security Team Apr 3, 2023

marcusdacoregio moved this from Done to In Progress in Spring Security Team Apr 3, 2023

marcusdacoregio added a commit that referenced this issue Apr 4, 2023

Avoid exception if PBKDF2WithHmacSHA256 is not available

d5603a9

Issue gh-12873

marcusdacoregio added this to the 5.8.3 milestone Apr 4, 2023

marcusdacoregio added in: crypto and removed in: core labels Apr 4, 2023

marcusdacoregio closed this as completed Apr 4, 2023

github-project-automation bot moved this from In Progress to Done in Spring Security Team Apr 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873

DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873

psvo commented Mar 16, 2023

marcusdacoregio commented Apr 4, 2023

psvo commented Apr 12, 2023

DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873

DaoAuthenticationProvider is not usable on RHEL 8.7 with enforced FIPS mode #12873

Comments

psvo commented Mar 16, 2023

marcusdacoregio commented Apr 4, 2023

psvo commented Apr 12, 2023