Spring Security TokenBasedRememberMeServices.makeTokenSignature never get same result when password is encoded by any of bcrypt, pbkdf2, scrypt, sha256

Describe the bug A clear and concise description of what the bug is. class: org.springframework.security.web.authentication.rememberme;

/**
     * Calculates the digital signature to be put in the cookie. Default value is MD5
     * ("username:tokenExpiryTime:password:key")
     */
    protected String makeTokenSignature(long tokenExpiryTime, String username,
            String password) {
        String data = username + ":" + tokenExpiryTime + ":" + password + ":" + getKey();
        MessageDigest digest;
        try {
            digest = MessageDigest.getInstance("MD5");
        }
        catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("No MD5 algorithm available!");
        }

        return new String(Hex.encode(digest.digest(data.getBytes())));
    }

like that is, the method never return the same result if password is encoded by any of bcrypt, pbkdf2, scrypt, sha256, because these password encoders always out different secret string with same password, then result of md5 will never been same, then remember-me always is not working after session timeout.
To Reproduce Steps to reproduce the behavior.

       Pbkdf2PasswordEncoder passwordEncoder = new Pbkdf2PasswordEncoder();
        String password = "123456";
        String encode = passwordEncoder.encode("password");
        String encode2 = passwordEncoder.encode("password");
        String encode3 = passwordEncoder.encode("password");
        //customized println upon on System.out.println
        Console.println(encode, encode2,encode3, encode.equals(encode2), encode.equals(encode3));

Expected behavior A clear and concise description of what you expected to happen. I don't know how to say, maybe just exclude password from md5, or is it able to do just like encoder's checking to password Sample org.springframework.security.crypto.bcrypt.matches(...) statement: BCrypt.checkpw(rawPassword.toString(), encodedPassword)

Comment From: rwinch

Thanks for the report.

Can you clarify why the value is changing? I understand that PasswordEncoder will produce different values for the password, but typically the password is only encoded at the time of changing the password so I would expect it to be the same encoded value.

Comment From: norangit

yes, you are right. it is my problems. because I hard code my password to applicaiton.properties. then encoded password in my customized UserDetailsService.loadUserByUsername() method in every called from anywhere. I should only encode once, after I fixed my code, then rememberme is working as expected.

Comment From: rwinch

Glad you solved your issue!