Spring Security AbstractUserDetailsReactiveAuthenticationManager potentially blocks a parallel Scheduler upgrading password encoding

Summary

AbstractUserDetailsReactiveAuthenticationManager invokes the PasswordEncoder in a parallel Scheduler by default.

PasswordEncoder implementations (e.g. BCryptPasswordEncoder) will potentially block when generating random salt data using SecureRandom, since some SecureRandom implementations will block while reading entropy.

I think the AbstractUserDetailsReactiveAuthenticationManager should execute this potentially blocking code on a Scheduler meant for blocking tasks (e.g.. Schedulers.boundedElastic() or Schedulers.newBoundedElastic(...)) to avoid blocking a parallel Scheduler.

BlockHound is reporting this blocking call as an illegal blocking call, since it executes on a parallel scheduler.

Actual Behavior

AbstractUserDetailsReactiveAuthenticationManager invokes PasswordEncoder.upgradeEncoding on a parallel Scheduler by default, which causes BlockHound to report illegal blocking calls.

    at java.base/java.io.FileInputStream.readBytes(FileInputStream.java)
    at java.base/java.io.FileInputStream.read(FileInputStream.java:279)
    at java.base/java.io.FilterInputStream.read(FilterInputStream.java:133)
    at java.base/sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:424)
    at java.base/sun.security.provider.NativePRNG$RandomIO.ensureBufferValid(NativePRNG.java:526)
    at java.base/sun.security.provider.NativePRNG$RandomIO.implNextBytes(NativePRNG.java:545)
    at java.base/sun.security.provider.NativePRNG.engineNextBytes(NativePRNG.java:220)
    at java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:741)
    at org.springframework.security.crypto.bcrypt.BCrypt.gensalt(BCrypt.java:621)
    at org.springframework.security.crypto.bcrypt.BCrypt.gensalt(BCrypt.java:640)
    at org.springframework.security.crypto.bcrypt.BCrypt.gensalt(BCrypt.java:649)
    at org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder.encode(BCryptPasswordEncoder.java:78)
    at org.springframework.security.crypto.password.DelegatingPasswordEncoder.encode(DelegatingPasswordEncoder.java:186)
    at org.springframework.security.authentication.UserDetailsRepositoryReactiveAuthenticationManager.lambda$authenticate$2(UserDetailsRepositoryReactiveAuthenticationManager.java:63)

Expected Behavior

Blocking calls are not made on a parallel Scheduler. BlockHound does not report illegal blocking calls.

Configuration

Default spring boot configuration

Version

5.2.0.RELEASE

Comment From: jzheaux

Closing as a duplicate of https://github.com/spring-projects/spring-security/issues/7522