Describe the bug When using a DelegatingPasswordEncoder with defaultPasswordEncoderForMatches set and you call the matches method with a password that has an unmapped prefix, the match fails.

I think this is because the code at DelegatingPasswordEncoder#L202 uses the prefixed password for the match, rather than extracting the password without the prefix and then using that.

To Reproduce I've uploaded a sample test case here:

https://github.com/jrmcdonald/spring-security-delegating-password-encoder-issue/blob/main/src/test/java/com/jrmcdonald/spring/security/sample/DelegatingPasswordEncoderTest.java

Expected behavior I would expect a password supplied with an unmapped prefix (i.e. "{unmapped}....") to match when using the default password encoder for matches.

If you agree and this is a bug, I'm happy to raise a PR for the fix.

Comment From: eleftherias

Thanks for reaching out @jrmcdonald. This is the expected behaviour, as described in the Javadoc

The encodedPassword provided will be the full password passed in including the {"id"} portion. For example, if the password of "{notmapped}foobar" was used, the "id" would be "notmapped" and the encodedPassword passed into the PasswordEncoder would be "{notmapped}foobar".

One reason why it is important to pass in the full password, is that you can then use a DelegatingPasswordEncoder as the defaultPasswordEncoderForMatches.

Comment From: jrmcdonald

Hi @eleftherias, thanks for the response.

I had misread that section of the javadoc, and I now understand it to be talking about the password that is supplied to the default password encoder. That does make sense when you think about using another DelegatingPasswordEncoder as the default!