Remove Md5PasswordEncoder from core

Issue: gh-4674

config/src/main/java/org/springframework/security/config/authentication/PasswordEncoderParser.java

@@ -29,7 +29,6 @@ import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.authentication.encoding.BaseDigestPasswordEncoder;
 import org.springframework.security.authentication.encoding.LdapShaPasswordEncoder;
 import org.springframework.security.authentication.encoding.Md4PasswordEncoder;
-import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
 import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
 import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.config.Elements;
@@ -54,7 +53,6 @@ public class PasswordEncoderParser {
 	static final String OPT_HASH_SHA = "sha";
 	static final String OPT_HASH_SHA256 = "sha-256";
 	static final String OPT_HASH_MD4 = "md4";
-	static final String OPT_HASH_MD5 = "md5";
 	static final String OPT_HASH_LDAP_SHA = "{sha}";
 	static final String OPT_HASH_LDAP_SSHA = "{ssha}";
 
@@ -67,7 +65,6 @@ public class PasswordEncoderParser {
 		ENCODER_CLASSES.put(OPT_HASH_SHA, ShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_SHA256, ShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_MD4, Md4PasswordEncoder.class);
-		ENCODER_CLASSES.put(OPT_HASH_MD5, Md5PasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SHA, LdapShaPasswordEncoder.class);
 		ENCODER_CLASSES.put(OPT_HASH_LDAP_SSHA, LdapShaPasswordEncoder.class);
 	}

config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc

@@ -7,7 +7,7 @@ start = http | ldap-server | authentication-provider | ldap-authentication-provi
 
 hash =
 	## Defines the hashing algorithm used on user passwords. Bcrypt is recommended.
-	attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md5" | "md4" | "{sha}" | "{ssha}"}
+	attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md4" | "{sha}" | "{ssha}"}
 base64 =
 	## Whether a string should be base64 encoded
 	attribute base64 {xsd:boolean}

config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd

@@ -15,7 +15,6 @@
                <xs:enumeration value="plaintext"/>
                <xs:enumeration value="sha"/>
                <xs:enumeration value="sha-256"/>
-               <xs:enumeration value="md5"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
@@ -150,7 +149,6 @@
                <xs:enumeration value="plaintext"/>
                <xs:enumeration value="sha"/>
                <xs:enumeration value="sha-256"/>
-               <xs:enumeration value="md5"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>
@@ -533,7 +531,6 @@
                <xs:enumeration value="plaintext"/>
                <xs:enumeration value="sha"/>
                <xs:enumeration value="sha-256"/>
-               <xs:enumeration value="md5"/>
                <xs:enumeration value="md4"/>
                <xs:enumeration value="{sha}"/>
                <xs:enumeration value="{ssha}"/>

config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java

@@ -24,6 +24,7 @@ import org.springframework.security.authentication.dao.ReflectionSaltSource;
 import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
+import org.springframework.security.crypto.password.MessageDigestPasswordEncoder;
 import org.springframework.security.util.FieldUtils;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
 import org.springframework.context.support.AbstractXmlApplicationContext;
@@ -103,11 +104,19 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 
 	@Test
 	public void providerWithMd5PasswordEncoderWorks() throws Exception {
-		setContext(" <authentication-provider>"
-				+ "        <password-encoder hash='md5'/>"
+		appContext = new InMemoryXmlApplicationContext(
+				" <authentication-manager>"
+				+ " <authentication-provider>"
+				+ "        <password-encoder ref='passwordEncoder'/>"
 				+ "        <user-service>"
 				+ "            <user name='bob' password='12b141f35d58b8b3a46eea65e6ac179e' authorities='ROLE_A' />"
-				+ "        </user-service>" + "    </authentication-provider>");
+				+ "        </user-service>"
+				+ "    </authentication-provider>"
+				+ " </authentication-manager>"
+				+ " <b:bean id='passwordEncoder'  class='"
+				+ MessageDigestPasswordEncoder.class.getName() + "'>"
+				+ "     <b:constructor-arg value='MD5'/>"
+				+ " </b:bean>");
 
 		getProvider().authenticate(bob);
 	}
@@ -138,42 +147,21 @@ public class AuthenticationProviderBeanDefinitionParserTests {
 
 	@Test
 	public void passwordIsBase64EncodedWhenBase64IsEnabled() throws Exception {
-		setContext(" <authentication-provider>"
-				+ "        <password-encoder hash='md5' base64='true'/>"
+		appContext = new InMemoryXmlApplicationContext(
+				" <authentication-manager>"
+				+ " <authentication-provider>"
+				+ "        <password-encoder ref='passwordEncoder'/>"
 				+ "        <user-service>"
 				+ "            <user name='bob' password='ErFB811YuLOkbupl5qwXng==' authorities='ROLE_A' />"
-				+ "        </user-service>" + "    </authentication-provider>");
-
-		getProvider().authenticate(bob);
-	}
+				+ "        </user-service>"
+				+ "    </authentication-provider>"
+				+ " </authentication-manager>"
+				+ " <b:bean id='passwordEncoder'  class='"
+				+ MessageDigestPasswordEncoder.class.getName() + "'>"
+				+ "     <b:constructor-arg value='MD5'/>"
+				+ "     <b:property name='encodeHashAsBase64' value='true'/>"
+				+ " </b:bean>");
 
-	@Test
-	public void externalUserServicePasswordEncoderAndSaltSourceWork() throws Exception {
-		appContext = new InMemoryXmlApplicationContext(
-				"    <authentication-manager>"
-						+ "      <authentication-provider user-service-ref='customUserService'>"
-						+ "        <password-encoder ref='customPasswordEncoder'>"
-						+ "            <salt-source ref='saltSource'/>"
-						+ "        </password-encoder>"
-						+ "      </authentication-provider>"
-						+ "    </authentication-manager>"
-						+
-
-						"    <b:bean id='customPasswordEncoder' "
-						+ "class='org.springframework.security.authentication.encoding.Md5PasswordEncoder'/>"
-						+ "    <b:bean id='saltSource' "
-						+ "           class='"
-						+ ReflectionSaltSource.class.getName()
-						+ "'>"
-						+ "         <b:property name='userPropertyToUse' value='username'/>"
-						+ "    </b:bean>"
-						+ "    <b:bean id='customUserService' "
-						+ "           class='org.springframework.security.provisioning.InMemoryUserDetailsManager'>"
-						+ "        <b:constructor-arg>"
-						+ "            <b:props>"
-						+ "                <b:prop key='bob'>f117f0862384e9497ff4f470e3522606,ROLE_A</b:prop>"
-						+ "            </b:props>" + "        </b:constructor-arg>"
-						+ "    </b:bean>");
 		getProvider().authenticate(bob);
 	}
 

core/src/main/java/org/springframework/security/authentication/encoding/Md5PasswordEncoder.java

@@ -1,42 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.authentication.encoding;
-
-/**
- * <p>
- * MD5 implementation of PasswordEncoder.
- * </p>
- * <p>
- * If a <code>null</code> password is presented, it will be treated as an empty
- * <code>String</code> ("") password.
- * </p>
- * <P>
- * As MD5 is a one-way hash, the salt can contain any characters.
- * </p>
- *
- * This is a convenience class that extends the {@link MessageDigestPasswordEncoder} and
- * passes MD5 as the algorithm to use.
- *
- * @author Ray Krueger
- * @author colin sampaleanu
- * @author Ben Alex
- */
-public class Md5PasswordEncoder extends MessageDigestPasswordEncoder {
-
-	public Md5PasswordEncoder() {
-		super("MD5");
-	}
-}

core/src/test/java/org/springframework/security/authentication/encoding/Md5PasswordEncoderTests.java

@@ -1,80 +0,0 @@
-/*
- * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.authentication.encoding;
-
-import static org.assertj.core.api.Assertions.*;
-
-import org.junit.Test;
-
-/**
- * <p>
- * TestCase for Md5PasswordEncoder.
- * </p>
- *
- * @author colin sampaleanu
- * @author Ben Alex
- * @author Ray Krueger
- * @author Luke Taylor
- */
-public class Md5PasswordEncoderTests {
-	// ~ Methods
-	// ========================================================================================================
-
-	@Test
-	public void testBasicFunctionality() {
-		Md5PasswordEncoder pe = new Md5PasswordEncoder();
-		String raw = "abc123";
-		String badRaw = "abc321";
-		String salt = "THIS_IS_A_SALT";
-		String encoded = pe.encodePassword(raw, salt);
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
-		assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
-		assertThat(encoded).isEqualTo("a68aafd90299d0b137de28fb4bb68573");
-		assertThat(pe.getAlgorithm()).isEqualTo("MD5");
-	}
-
-	@Test
-	public void nonAsciiPasswordHasCorrectHash() throws Exception {
-		Md5PasswordEncoder md5 = new Md5PasswordEncoder();
-		// $ echo -n "你好" | md5
-		// 7eca689f0d3389d9dea66ae112e5cfd7
-		String encodedPassword = md5.encodePassword("\u4F60\u597d", null);
-		assertThat(encodedPassword).isEqualTo("7eca689f0d3389d9dea66ae112e5cfd7");
-	}
-
-	@Test
-	public void testBase64() throws Exception {
-		Md5PasswordEncoder pe = new Md5PasswordEncoder();
-		pe.setEncodeHashAsBase64(true);
-		String raw = "abc123";
-		String badRaw = "abc321";
-		String salt = "THIS_IS_A_SALT";
-		String encoded = pe.encodePassword(raw, salt);
-		assertThat(pe.isPasswordValid(encoded, raw, salt)).isTrue();
-		assertThat(pe.isPasswordValid(encoded, badRaw, salt)).isFalse();
-		assertThat(encoded.length() != 32).isTrue();
-	}
-
-	@Test
-	public void stretchFactorIsProcessedCorrectly() throws Exception {
-		Md5PasswordEncoder pe = new Md5PasswordEncoder();
-		pe.setIterations(2);
-		// Calculate value using:
-		// echo -n password{salt} | openssl md5 -binary | openssl md5
-		assertThat(pe.encodePassword("password", "salt")).isEqualTo("eb753fb0c370582b4ee01b30f304b9fc");
-	}
-}