HaveIBeenPwnedRestApiPasswordChecker stores a single MessageDigest instance as a field and reuses it across all invocations of check(). Since MessageDigest is not thread-safe, concurrent calls can produce incorrect hash values.
To Reproduce
- Register
HaveIBeenPwnedRestApiPasswordChecker as a singleton bean
- Call
check() concurrently from multiple threads
- Hash computation becomes unreliable due to shared mutable state in
MessageDigest
Expected behavior
The checker should produce correct results under concurrent access. A new MessageDigest instance should be created per invocation instead of reusing a shared instance.
HaveIBeenPwnedRestApiPasswordCheckerstores a singleMessageDigestinstance as a field and reuses it across all invocations ofcheck(). SinceMessageDigestis not thread-safe, concurrent calls can produce incorrect hash values.To Reproduce
HaveIBeenPwnedRestApiPasswordCheckeras a singleton beancheck()concurrently from multiple threadsMessageDigestExpected behavior
The checker should produce correct results under concurrent access. A new
MessageDigestinstance should be created per invocation instead of reusing a shared instance.