Spring Security LdapShaPasswordEncoder can not matches password because DelegatingPasswordEncoder.matches() remove {SSHA} prefix;

Describe the bug org.springframework.security.crypto.password.LdapShaPasswordEncoder().encode() return {SSHA}payload format, but PasswordEncoderFactories.createDelegatingPasswordEncoder() support only {ldap} prefix. so I added below code {SSHA}. However, LdapShaPasswordEncoder is not recognized because DelegatingPasswordEncoder removes the {SSHA} prefix. So temporarily I put double prefix in front of encode password (ex. {SSHA}{SSHA} payload). why does not support {SSHA} type prefix in PasswordEncoderFactories class?

To Reproduce

    public PasswordEncoder passwordEncoder() {
        String encodingId = "bcrypt";
        Map<String, PasswordEncoder> encoders = new HashMap<>();
        encoders.put(encodingId, new BCryptPasswordEncoder());
        encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
        encoders.put("SSHA", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
        encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
        encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
        encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
        encoders.put("scrypt", new SCryptPasswordEncoder());
        encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
        encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
        encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
        return new DelegatingPasswordEncoder(encodingId, encoders);
    }

    @Test
    public void ldapPasswordEncoder_match_success() {
        PasswordEncoder encoder = new org.springframework.security.crypto.password.LdapShaPasswordEncoder();
        String password = encoder.encode("pass");
        Assert.assertTrue(passwordEncoder().matches("pass", password));
    }

Comment From: rwinch

This is expected to fail because you are encoding with one encoder and then trying to match with the delegate encoder. You need to do a migration on the old encoded password.

Something like:

```java String rawPassword = "pass"; String ldapEncodedPassword = ldapEncoder.encode(rawPassword); String migratedPassword = "{ldap}" + ldapEncodedPassword;

assertThat(delegateEncoder.matches(rawPassword, migratedPassword)).isTrue(); ````

Alternatively, you can expose LdapShaPasswordEncoder as a bean and it will be used instead of DelegatingPasswordEncoder.

Going forward it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.