0

I noticed following code in Md4PasswordEncoder in Spring Security:

/**
 * Takes a previously encoded password and compares it with a raw password after mixing in the salt and
 * encoding that value.
 *
 * @param encPass previously encoded password
 * @param rawPass plain text password
 * @param salt salt to mix into password
 * @return true or false
 */
public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
    String pass1 = "" + encPass;
    String pass2 = encodePassword(rawPass, salt);
    return PasswordEncoderUtils.equals(pass1,pass2);
}

I'm currently working on developing custom PasswordEncoder. Could please anyone explain why are spring developers handling null by adding an empty string to the passed in object?

Thanks in advance

Improve this question

1 Answer 1

Reset to default
1

I don't think this was done for a specific reason. I think it is more because the developers didn't care to change it over the later versions.

Until version 3.0.3, this is how the code used to look like (Source) :

78    public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
79        String pass1 = "" + encPass;
80        String pass2 = encodePassword(rawPass, salt);
81        return pass1.equals(pass2);
82    }

In this version, if encPass was null and if the statement on line 79 would have been String pass1 = encPass; instead of what it is, line 81 would have thrown a NPE.

However, in the later version (the one which you are looking at) equals from PasswordEncoderUtils has been used which already takes care of cases where encPass could be null.

Hence, I think "" + is redundant in the current version and was left there for no special reason. (Perhaps because it is not breaking anything and is not a reason for a significant performance loss)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.