Fix to allow multiple PasswordEncoder beans

Closes gh-18645

Author: jgrandja

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ConfigurerUtils.java

@@ -16,12 +16,9 @@
 
 package org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization;
 
-import java.util.Map;
-
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
 
-import org.springframework.beans.factory.BeanFactoryUtils;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
@@ -45,7 +42,6 @@
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
 import org.springframework.util.Assert;
-import org.springframework.util.StringUtils;
 
 /**
  * Utility methods for the OAuth 2.0 Configurers.
@@ -224,24 +220,12 @@ static <T> T getBean(HttpSecurity httpSecurity, ResolvableType type) {
 	}
 
 	static <T> T getOptionalBean(HttpSecurity httpSecurity, Class<T> type) {
-		Map<String, T> beansMap = BeanFactoryUtils
-			.beansOfTypeIncludingAncestors(httpSecurity.getSharedObject(ApplicationContext.class), type);
-		if (beansMap.size() > 1) {
-			throw new NoUniqueBeanDefinitionException(type, beansMap.size(),
-					"Expected single matching bean of type '" + type.getName() + "' but found " + beansMap.size() + ": "
-							+ StringUtils.collectionToCommaDelimitedString(beansMap.keySet()));
-		}
-		return (!beansMap.isEmpty() ? beansMap.values().iterator().next() : null);
+		return httpSecurity.getSharedObject(ApplicationContext.class).getBeanProvider(type).getIfUnique();
 	}
 
 	@SuppressWarnings("unchecked")
 	static <T> T getOptionalBean(HttpSecurity httpSecurity, ResolvableType type) {
-		ApplicationContext context = httpSecurity.getSharedObject(ApplicationContext.class);
-		String[] names = context.getBeanNamesForType(type);
-		if (names.length > 1) {
-			throw new NoUniqueBeanDefinitionException(type, names);
-		}
-		return (names.length == 1) ? (T) context.getBean(names[0]) : null;
+		return (T) httpSecurity.getSharedObject(ApplicationContext.class).getBeanProvider(type).getIfUnique();
 	}
 
 }

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java

@@ -45,6 +45,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.Primary;
 import org.springframework.http.HttpHeaders;
 import org.springframework.jdbc.core.JdbcOperations;
 import org.springframework.jdbc.core.JdbcTemplate;
@@ -158,6 +159,8 @@ public class OAuth2ClientCredentialsGrantTests {
 
 	private static AuthenticationFailureHandler authenticationFailureHandler;
 
+	private static PasswordEncoder passwordEncoder;
+
 	public final SpringTestContext spring = new SpringTestContext(this);
 
 	@Autowired
@@ -183,6 +186,9 @@ public static void init() {
 		authenticationProvidersConsumer = mock(Consumer.class);
 		authenticationSuccessHandler = mock(AuthenticationSuccessHandler.class);
 		authenticationFailureHandler = mock(AuthenticationFailureHandler.class);
+		passwordEncoder = mock(PasswordEncoder.class);
+		given(passwordEncoder.matches(any(), any())).willReturn(true);
+		given(passwordEncoder.upgradeEncoding(any())).willReturn(false);
 		db = new EmbeddedDatabaseBuilder().generateUniqueName(true)
 			.setType(EmbeddedDatabaseType.HSQL)
 			.setScriptEncoding("UTF-8")
@@ -496,6 +502,26 @@ public void requestWhenTokenRequestWithDPoPProofThenReturnDPoPBoundAccessToken()
 			.andExpect(jsonPath("$.token_type").value(OAuth2AccessToken.TokenType.DPOP.getValue()));
 	}
 
+	@Test
+	public void requestWhenTokenRequestWithMultiplePasswordEncodersThenPrimaryPasswordEncoderUsed() throws Exception {
+		this.spring.register(AuthorizationServerConfigurationWithMultiplePasswordEncoders.class).autowire();
+
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
+		this.registeredClientRepository.save(registeredClient);
+
+		this.mvc
+			.perform(post(DEFAULT_TOKEN_ENDPOINT_URI)
+				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
+				.param(OAuth2ParameterNames.SCOPE, "scope1 scope2")
+				.header(HttpHeaders.AUTHORIZATION,
+						"Basic " + encodeBasicAuth(registeredClient.getClientId(), registeredClient.getClientSecret())))
+			.andExpect(status().isOk())
+			.andExpect(jsonPath("$.access_token").isNotEmpty())
+			.andExpect(jsonPath("$.scope").value("scope1 scope2"));
+
+		verify(passwordEncoder).matches(any(), any());
+	}
+
 	private static String generateDPoPProof(String tokenEndpointUri) {
 		// @formatter:off
 		Map<String, Object> publicJwk = TestJwks.DEFAULT_EC_JWK
@@ -658,4 +684,16 @@ AuthorizationServerSettings authorizationServerSettings() {
 
 	}
 
+	@EnableWebSecurity
+	@Configuration(proxyBeanMethods = false)
+	static class AuthorizationServerConfigurationWithMultiplePasswordEncoders extends AuthorizationServerConfiguration {
+
+		@Primary
+		@Bean
+		PasswordEncoder primaryPasswordEncoder() {
+			return passwordEncoder;
+		}
+
+	}
+
 }