Improvements

- Improved class names
- Introduced defaults to guide usage

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/web/configurers/PasswordManagementConfigurerTests.java

@@ -288,10 +288,15 @@ PasswordAdvice index(PasswordAdvice advice) {
 		ResponseEntity<?> changePassword(@AuthenticationPrincipal UserDetails user,
 				@RequestParam("password") String password, HttpServletRequest request, HttpServletResponse response) {
 			PasswordAdvice advice = this.passwordAdvisor.advise(user, null, password);
-			if (advice.getAction() != PasswordAction.ABSTAIN) {
+			if (advice.getAction() != PasswordAction.NONE) {
 				return ResponseEntity.badRequest().body(advice);
 			}
-			this.passwords.changePassword(null, this.encoder.encode(password));
+			UserDetails updated = User.withUserDetails(user)
+				.passwordEncoder(this.encoder::encode)
+				.password(password)
+				.passwordAction(PasswordAction.NONE)
+				.build();
+			this.passwords.updateUser(updated);
 			this.passwordAdviceRepository.removePasswordAdvice(request, response);
 			return ResponseEntity.ok().build();
 		}

core/src/main/java/org/springframework/security/authentication/password/CompositePasswordAdvisor.java

@@ -18,45 +18,55 @@
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.core.userdetails.UserDetails;
 
 public final class CompositePasswordAdvisor implements PasswordAdvisor {
 
-	private final List<PasswordAdvisor> advisors;
+	private final Collection<PasswordAdvisor> advisors;
 
-	private CompositePasswordAdvisor(List<PasswordAdvisor> advisors) {
-		this.advisors = Collections.unmodifiableList(advisors);
+	private CompositePasswordAdvisor(Collection<PasswordAdvisor> advisors) {
+		this.advisors = Collections.unmodifiableCollection(advisors);
 	}
 
 	public static PasswordAdvisor of(PasswordAdvisor... advisors) {
 		return new CompositePasswordAdvisor(List.of(advisors));
 	}
 
+	public static PasswordAdvisor withDefaults(PasswordAdvisor... advisors) {
+		Map<Class<? extends PasswordAdvisor>, PasswordAdvisor> defaults = new HashMap<>();
+		defaults.put(UserDetailsPasswordAdvisor.class, new UserDetailsPasswordAdvisor());
+		defaults.put(PasswordLengthAdvisor.class, new PasswordLengthAdvisor());
+		for (PasswordAdvisor advisor : advisors) {
+			defaults.put(advisor.getClass(), advisor);
+		}
+		return new CompositePasswordAdvisor(defaults.values());
+	}
+
 	@Override
 	public PasswordAdvice advise(UserDetails user, @Nullable String password) {
 		Collection<PasswordAdvice> advice = this.advisors.stream()
 			.map((advisor) -> advisor.advise(user, password))
 			.toList();
-		return new Advice(advice);
+		return new CompositePasswordAdvice(advice);
 	}
 
-	public static final class Advice implements PasswordAdvice {
-
-		private final PasswordAction action;
+	public static final class CompositePasswordAdvice extends SimplePasswordAdvice {
 
 		private final Collection<PasswordAdvice> advice;
 
-		private Advice(Collection<PasswordAdvice> advice) {
-			this.action = findMostUrgentAction(advice);
+		private CompositePasswordAdvice(Collection<PasswordAdvice> advice) {
+			super(findMostUrgentAction(advice));
 			this.advice = advice;
 		}
 
-		private PasswordAction findMostUrgentAction(Collection<PasswordAdvice> advice) {
-			PasswordAction mostUrgentAction = PasswordAction.ABSTAIN;
+		private static PasswordAction findMostUrgentAction(Collection<PasswordAdvice> advice) {
+			PasswordAction mostUrgentAction = PasswordAction.NONE;
 			for (PasswordAdvice a : advice) {
 				if (mostUrgentAction.ordinal() < a.getAction().ordinal()) {
 					mostUrgentAction = a.getAction();
@@ -65,18 +75,13 @@ private PasswordAction findMostUrgentAction(Collection<PasswordAdvice> advice) {
 			return mostUrgentAction;
 		}
 
-		@Override
-		public PasswordAction getAction() {
-			return this.action;
-		}
-
 		public Collection<PasswordAdvice> getAdvice() {
 			return this.advice;
 		}
 
 		@Override
 		public String toString() {
-			return "Composite [" + "action=" + this.action + ", advice=" + this.advice + "]";
+			return "Composite [" + "action=" + super.toString() + ", advice=" + this.advice + "]";
 		}
 
 	}

core/src/main/java/org/springframework/security/authentication/password/CompositeUpdatePasswordAdvisor.java

@@ -18,45 +18,54 @@
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.core.userdetails.UserDetails;
 
 public final class CompositeUpdatePasswordAdvisor implements UpdatePasswordAdvisor {
 
-	private final List<UpdatePasswordAdvisor> advisors;
+	private final Collection<UpdatePasswordAdvisor> advisors;
 
-	private CompositeUpdatePasswordAdvisor(List<UpdatePasswordAdvisor> advisors) {
-		this.advisors = Collections.unmodifiableList(advisors);
+	private CompositeUpdatePasswordAdvisor(Collection<UpdatePasswordAdvisor> advisors) {
+		this.advisors = Collections.unmodifiableCollection(advisors);
 	}
 
 	public static UpdatePasswordAdvisor of(UpdatePasswordAdvisor... advisors) {
 		return new CompositeUpdatePasswordAdvisor(List.of(advisors));
 	}
 
+	public static UpdatePasswordAdvisor withDefaults(UpdatePasswordAdvisor... advisors) {
+		Map<Class<? extends UpdatePasswordAdvisor>, UpdatePasswordAdvisor> defaults = new HashMap<>();
+		defaults.put(RepeatedPasswordAdvisor.class, new RepeatedPasswordAdvisor());
+		defaults.put(PasswordLengthAdvisor.class, new PasswordLengthAdvisor());
+		for (UpdatePasswordAdvisor advisor : advisors) {
+			defaults.put(advisor.getClass(), advisor);
+		}
+		return new CompositeUpdatePasswordAdvisor(defaults.values());
+	}
 	@Override
 	public PasswordAdvice advise(UserDetails user, @Nullable String oldPassword, @Nullable String newPassword) {
 		Collection<PasswordAdvice> advice = this.advisors.stream()
 			.map((advisor) -> advisor.advise(user, oldPassword, newPassword))
 			.toList();
-		return new CompositeUpdatePasswordAdvisor.Advice(advice);
+		return new CompositePasswordAdvice(advice);
 	}
 
-	public static final class Advice implements PasswordAdvice {
-
-		private final PasswordAction action;
+	public static final class CompositePasswordAdvice extends SimplePasswordAdvice {
 
 		private final Collection<PasswordAdvice> advice;
 
-		private Advice(Collection<PasswordAdvice> advice) {
-			this.action = findMostUrgentAction(advice);
+		private CompositePasswordAdvice(Collection<PasswordAdvice> advice) {
+			super(findMostUrgentAction(advice));
 			this.advice = advice;
 		}
 
-		private PasswordAction findMostUrgentAction(Collection<PasswordAdvice> advice) {
-			PasswordAction mostUrgentAction = PasswordAction.ABSTAIN;
+		private static PasswordAction findMostUrgentAction(Collection<PasswordAdvice> advice) {
+			PasswordAction mostUrgentAction = PasswordAction.NONE;
 			for (PasswordAdvice a : advice) {
 				if (mostUrgentAction.ordinal() < a.getAction().ordinal()) {
 					mostUrgentAction = a.getAction();
@@ -65,18 +74,13 @@ private PasswordAction findMostUrgentAction(Collection<PasswordAdvice> advice) {
 			return mostUrgentAction;
 		}
 
-		@Override
-		public PasswordAction getAction() {
-			return this.action;
-		}
-
 		public Collection<PasswordAdvice> getAdvice() {
 			return this.advice;
 		}
 
 		@Override
 		public String toString() {
-			return "Composite [" + "action=" + this.action + ", advice=" + this.advice + "]";
+			return "Composite [" + "action=" + super.toString() + ", advice=" + this.advice + "]";
 		}
 
 	}

core/src/main/java/org/springframework/security/authentication/password/PasswordAction.java

@@ -18,9 +18,9 @@
 
 public enum PasswordAction {
 
-	ABSTAIN, SHOULD_CHANGE, MUST_CHANGE;
+	NONE, SHOULD_CHANGE, MUST_CHANGE;
 
-	boolean advisedBy(PasswordAdvice advice) {
+	public boolean advisedBy(PasswordAdvice advice) {
 		return advice.getAction().equals(this);
 	}
 

core/src/main/java/org/springframework/security/authentication/password/PasswordAdvice.java

@@ -21,8 +21,6 @@
 @NullMarked
 public interface PasswordAdvice {
 
-	PasswordAdvice ABSTAIN = () -> PasswordAction.ABSTAIN;
-
 	PasswordAction getAction();
 
 }

core/src/main/java/org/springframework/security/authentication/password/LengthPasswordAdvisor.java renamed to core/src/main/java/org/springframework/security/authentication/password/PasswordLengthAdvisor.java

@@ -21,25 +21,31 @@
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.util.Assert;
 
-public final class LengthPasswordAdvisor implements PasswordAdvisor, UpdatePasswordAdvisor {
+public final class PasswordLengthAdvisor implements PasswordAdvisor, UpdatePasswordAdvisor {
+
+	/**
+	 * The ASVS v5.0 minimum password length
+	 * @see <a href=
+	 * "https://github.com/OWASP/ASVS/blob/v5.0.0/5.0/docs_en/OWASP_Application_Security_Verification_Standard_5.0.0_en.csv#L108">ASVS
+	 * 5.0 Password Security Standard</a>
+	 */
+	private static final int ASVS_V5_MINIMUM_PASSWORD_LENGTH = 8;
 
 	private final int minLength;
 
 	private final int maxLength;
 
-	private PasswordAction tooShortAction = PasswordAction.MUST_CHANGE;
-
-	private PasswordAction tooLongAction = PasswordAction.SHOULD_CHANGE;
+	private PasswordAction passwordAction = PasswordAction.SHOULD_CHANGE;
 
-	public LengthPasswordAdvisor() {
-		this(12, 64);
+	public PasswordLengthAdvisor() {
+		this(ASVS_V5_MINIMUM_PASSWORD_LENGTH);
 	}
 
-	public LengthPasswordAdvisor(int minLength) {
+	public PasswordLengthAdvisor(int minLength) {
 		this(minLength, Integer.MAX_VALUE);
 	}
 
-	public LengthPasswordAdvisor(int minLength, int maxLength) {
+	public PasswordLengthAdvisor(int minLength, int maxLength) {
 		Assert.isTrue(minLength > 0, "minLength must be greater than 0");
 		this.minLength = minLength;
 		this.maxLength = maxLength;
@@ -48,82 +54,43 @@ public LengthPasswordAdvisor(int minLength, int maxLength) {
 	@Override
 	public PasswordAdvice advise(UserDetails user, @Nullable String password) {
 		if (password == null) {
-			return new TooShortAdvice(this.tooShortAction, this.minLength, 0);
+			return new PasswordLengthAdvice(this.passwordAction, this.minLength, this.maxLength, 0);
 		}
 		if (password.length() < this.minLength) {
-			return new TooShortAdvice(this.tooShortAction, this.minLength, password.length());
+			return new PasswordLengthAdvice(this.passwordAction, this.minLength, this.maxLength, password.length());
 		}
 		if (password.length() > this.maxLength) {
-			return new TooLongAdvice(this.tooLongAction, this.maxLength, password.length());
+			return new PasswordLengthAdvice(this.passwordAction, this.minLength, this.maxLength, password.length());
 		}
-		return PasswordAdvice.ABSTAIN;
+		return SimplePasswordAdvice.NONE;
 	}
 
 	@Override
 	public PasswordAdvice advise(UserDetails user, @Nullable String oldPassword, @Nullable String newPassword) {
 		return advise(user, newPassword);
 	}
 
-	public void setTooShortAction(PasswordAction tooShortAction) {
-		this.tooShortAction = tooShortAction;
+	public void setPasswordAction(PasswordAction passwordAction) {
+		this.passwordAction = passwordAction;
 	}
 
-	public void setTooLongAction(PasswordAction tooLongAction) {
-		this.tooLongAction = tooLongAction;
-	}
-
-	public static final class TooShortAdvice implements PasswordAdvice {
-
-		private final PasswordAction action;
+	public static final class PasswordLengthAdvice extends SimplePasswordAdvice {
 
 		private final int minLength;
 
-		private final int actualLength;
-
-		private TooShortAdvice(PasswordAction action, int minLength, int actualLength) {
-			this.action = action;
-			this.minLength = minLength;
-			this.actualLength = actualLength;
-		}
-
-		@Override
-		public PasswordAction getAction() {
-			return this.action;
-		}
-
-		public int getMinLength() {
-			return this.minLength;
-		}
-
-		public int getActualLength() {
-			return this.actualLength;
-		}
-
-		@Override
-		public String toString() {
-			return "TooShort [" + "action=" + this.action + ", minLength=" + this.minLength + ", actualLength="
-					+ this.actualLength + "]";
-		}
-
-	}
-
-	public static final class TooLongAdvice implements PasswordAdvice {
-
-		private final PasswordAction action;
-
 		private final int maxLength;
 
 		private final int actualLength;
 
-		private TooLongAdvice(PasswordAction action, int maxLength, int actualLength) {
-			this.action = action;
+		private PasswordLengthAdvice(PasswordAction action, int minLength, int maxLength, int actualLength) {
+			super(action);
+			this.minLength = minLength;
 			this.maxLength = maxLength;
 			this.actualLength = actualLength;
 		}
 
-		@Override
-		public PasswordAction getAction() {
-			return this.action;
+		public int getMinLength() {
+			return this.minLength;
 		}
 
 		public int getMaxLength() {
@@ -136,8 +103,8 @@ public int getActualLength() {
 
 		@Override
 		public String toString() {
-			return "TooLong [" + "action=" + this.action + ", maxLength=" + this.maxLength + ", actualLength="
-					+ this.actualLength + "]";
+			return "Length [action=" + super.toString() + ", minLength=" + this.minLength + ", maxLength="
+					+ this.maxLength + ", actualLength=" + this.actualLength + "]";
 		}
 
 	}

core/src/main/java/org/springframework/security/authentication/password/RepeatedPasswordAdvisor.java

@@ -26,17 +26,14 @@ public final class RepeatedPasswordAdvisor implements UpdatePasswordAdvisor {
 
 	@Override
 	public PasswordAdvice advise(UserDetails user, @Nullable String oldPassword, @Nullable String newPassword) {
-		if (Objects.equals(oldPassword, newPassword)) {
-			return new Advice();
-		}
-		return PasswordAdvice.ABSTAIN;
+		boolean repeated = Objects.equals(oldPassword, newPassword);
+		return new RepeatedPasswordAdvice(repeated ? PasswordAction.MUST_CHANGE : PasswordAction.NONE);
 	}
 
-	public static final class Advice implements PasswordAdvice {
+	public static final class RepeatedPasswordAdvice extends SimplePasswordAdvice {
 
-		@Override
-		public PasswordAction getAction() {
-			return PasswordAction.MUST_CHANGE;
+		RepeatedPasswordAdvice(PasswordAction action) {
+			super(action);
 		}
 
 	}