Add UserDetailsRepositoryReactiveAuthenticationManager.setScheduler

Fixes: gh-5417

core/src/main/java/org/springframework/security/authentication/UserDetailsRepositoryReactiveAuthenticationManager.java

@@ -23,6 +23,7 @@ import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.util.Assert;
 import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Scheduler;
 import reactor.core.scheduler.Schedulers;
 
 /**
@@ -37,6 +38,8 @@ public class UserDetailsRepositoryReactiveAuthenticationManager implements React
 
 	private PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
 
+	private Scheduler scheduler = Schedulers.parallel();
+
 	public UserDetailsRepositoryReactiveAuthenticationManager(ReactiveUserDetailsService userDetailsService) {
 		Assert.notNull(userDetailsService, "userDetailsService cannot be null");
 		this.userDetailsService = userDetailsService;
@@ -46,7 +49,7 @@ public class UserDetailsRepositoryReactiveAuthenticationManager implements React
 	public Mono<Authentication> authenticate(Authentication authentication) {
 		final String username = authentication.getName();
 		return this.userDetailsService.findByUsername(username)
-				.publishOn(Schedulers.parallel())
+				.publishOn(this.scheduler)
 				.filter( u -> this.passwordEncoder.matches((String) authentication.getCredentials(), u.getPassword()))
 				.switchIfEmpty(Mono.defer(() -> Mono.error(new BadCredentialsException("Invalid Credentials"))))
 				.map( u -> new UsernamePasswordAuthenticationToken(u, u.getPassword(), u.getAuthorities()) );
@@ -61,4 +64,20 @@ public class UserDetailsRepositoryReactiveAuthenticationManager implements React
 		Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
 		this.passwordEncoder = passwordEncoder;
 	}
+
+	/**
+	 * Sets the {@link Scheduler} used by the {@link UserDetailsRepositoryReactiveAuthenticationManager}.
+	 * The default is {@code Schedulers.parallel()} because modern password encoding is
+	 * a CPU intensive task that is non blocking. This means validation is bounded by the
+	 * number of CPUs. Some applications may want to customize the {@link Scheduler}. For
+	 * example, if users are stuck using the insecure {@link org.springframework.security.crypto.password.NoOpPasswordEncoder}
+	 * they might want to leverage {@code Schedulers.immediate()}.
+	 *
+	 * @param scheduler the {@link Scheduler} to use. Cannot be null.
+	 * @since 5.0.6
+	 */
+	public void setScheduler(Scheduler scheduler) {
+		Assert.notNull(scheduler, "scheduler cannot be null");
+		this.scheduler = scheduler;
+	}
 }

core/src/test/java/org/springframework/security/authentication/UserDetailsRepositoryReactiveAuthenticationManagerTests.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Scheduler;
+import reactor.core.scheduler.Schedulers;
+
+import static org.assertj.core.api.Assertions.*;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+/**
+ * @author Rob Winch
+ * @since 5.1
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class UserDetailsRepositoryReactiveAuthenticationManagerTests {
+	@Mock
+	private ReactiveUserDetailsService userDetailsService;
+
+	@Mock
+	private PasswordEncoder encoder;
+
+	@Mock
+	private Scheduler scheduler;
+
+	private UserDetails user = User.withUsername("user")
+		.password("password")
+		.roles("USER")
+		.build();
+
+	private UserDetailsRepositoryReactiveAuthenticationManager manager;
+
+	@Before
+	public void setup() {
+		this.manager = new UserDetailsRepositoryReactiveAuthenticationManager(this.userDetailsService);
+		when(this.scheduler.schedule(any())).thenAnswer(a -> {
+			Runnable r = a.getArgument(0);
+			return Schedulers.immediate().schedule(r);
+		});
+	}
+
+	@Test
+	public void setSchedulerWhenNullThenIllegalArgumentException() {
+		assertThatCode(() -> this.manager.setScheduler(null))
+			.isInstanceOf(IllegalArgumentException.class);
+	}
+
+	@Test
+	public void authentiateWhenCustomSchedulerThenUsed() {
+		when(this.userDetailsService.findByUsername(any())).thenReturn(Mono.just(this.user));
+		when(this.encoder.matches(any(), any())).thenReturn(true);
+		this.manager.setScheduler(this.scheduler);
+		this.manager.setPasswordEncoder(this.encoder);
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
+			this.user, this.user.getPassword());
+
+		Authentication result = this.manager.authenticate(token).block();
+
+		verify(this.scheduler).schedule(any());
+	}
+}