From 4dd30a7a4e29a7d80266a2a49c1048bb46bf5975 Mon Sep 17 00:00:00 2001
From: Garvit Joshi <garvitjoshi9@gmail.com>
Date: Sat, 29 Nov 2025 16:44:45 +0530
Subject: [PATCH 1/2] gh-18234: Create SHA-1 MessageDigest for every new check
 request

Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
---
 .../password/HaveIBeenPwnedRestApiPasswordChecker.java      | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java
index 8784f8e900d..5d670c5ee9d 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java
@@ -52,12 +52,9 @@ public final class HaveIBeenPwnedRestApiPasswordChecker implements CompromisedPa
 
 	private final Log logger = LogFactory.getLog(getClass());
 
-	private final MessageDigest sha1Digest;
-
 	private RestClient restClient = RestClient.builder().baseUrl(API_URL).build();
 
 	public HaveIBeenPwnedRestApiPasswordChecker() {
-		this.sha1Digest = getSha1Digest();
 	}
 
 	@Override
@@ -65,7 +62,8 @@ public CompromisedPasswordDecision check(@Nullable String password) {
 		if (password == null) {
 			return new CompromisedPasswordDecision(false);
 		}
-		byte[] hash = this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8));
+		MessageDigest sha1Digest = getSha1Digest();
+		byte[] hash = sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8));
 		String encoded = new String(Hex.encode(hash)).toUpperCase(Locale.ROOT);
 		String prefix = encoded.substring(0, PREFIX_LENGTH);
 		String suffix = encoded.substring(PREFIX_LENGTH);

From 4bf9f002ba85b1ec63550d39a178b1abba693bf2 Mon Sep 17 00:00:00 2001
From: Garvit Joshi <garvitjoshi9@gmail.com>
Date: Sat, 29 Nov 2025 16:58:25 +0530
Subject: [PATCH 2/2] gh-18234: Create SHA-1 MessageDigest for every new check
 request

Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
---
 .../HaveIBeenPwnedRestApiPasswordChecker.java         |  3 ---
 .../HaveIBeenPwnedRestApiReactivePasswordChecker.java | 11 ++++-------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java
index 5d670c5ee9d..5844ce1fb69 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiPasswordChecker.java
@@ -54,9 +54,6 @@ public final class HaveIBeenPwnedRestApiPasswordChecker implements CompromisedPa
 
 	private RestClient restClient = RestClient.builder().baseUrl(API_URL).build();
 
-	public HaveIBeenPwnedRestApiPasswordChecker() {
-	}
-
 	@Override
 	public CompromisedPasswordDecision check(@Nullable String password) {
 		if (password == null) {
diff --git a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java
index 8bd5dacdb14..77258431795 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/password/HaveIBeenPwnedRestApiReactivePasswordChecker.java
@@ -55,12 +55,6 @@ public class HaveIBeenPwnedRestApiReactivePasswordChecker implements ReactiveCom
 
 	private WebClient webClient = WebClient.builder().baseUrl(API_URL).build();
 
-	private final MessageDigest sha1Digest;
-
-	public HaveIBeenPwnedRestApiReactivePasswordChecker() {
-		this.sha1Digest = getSha1Digest();
-	}
-
 	@Override
 	public Mono<CompromisedPasswordDecision> check(@Nullable String password) {
 		return getHash(password).map((hash) -> new String(Hex.encode(hash)))
@@ -98,7 +92,10 @@ public void setWebClient(WebClient webClient) {
 
 	private Mono<byte[]> getHash(@Nullable String rawPassword) {
 		return Mono.justOrEmpty(rawPassword)
-			.map((password) -> this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8)))
+			.map((password) -> {
+				MessageDigest sha1Digest = getSha1Digest();
+				return sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8));
+			})
 			.subscribeOn(Schedulers.boundedElastic())
 			.publishOn(Schedulers.parallel());
 	}