Expected Behavior

The class org.springframework.security.crypto.password.DelegatingPasswordEncoder.UnmappedIdPasswordEncoder should not use org.springframework.util.StringUtils to allow usage in non Spring environments.

Current Behavior

org.springframework:spring-core has to be within my dependencies to use the DelegatingPasswordEncoder and it's only used in one methode

https://github.com/spring-projects/spring-security/blob/d3332e1956f4589dcf097a4d4b5b8f65d865d7e3/crypto/src/main/java/org/springframework/security/crypto/password/DelegatingPasswordEncoder.java#L298

Right now the dependency to org.springframework:spring-core is optional and for the usage of the most PasswordEncoder implementations not necessary.

The Usage of StringUtils can easily be replaced.

Context I am having an Eclipse RCP (OSGi) project, where I want to use the DelegatingPasswordEncoder right away without adding org.springframework:spring-core to my dependencies.

Comment From: kse-music

I found that in KeyStoreKeyFactory not only StringUtils but also Resourceare used.

Comment From: ChristianHoesel

I found that in KeyStoreKeyFactory not only StringUtils but also Resourceare used.

You are right, Resource from spring-core is used in KeyStoreKeyFactory, but as far as I see this does not interfere with using DelegatingPasswordEncoder and PasswordEncoderFactories.

So after replacing StringUtils the optional dependency to spring-core still exists, but it is a little less.

Comment From: sjohnr

@ChristianHoesel thanks for reaching out!

So after replacing StringUtils the optional dependency to spring-core still exists, but it is a little less.

I can understand wanting to reduce/remove its use in the spring-security-crypto module. I think the issue is that spring-core usage is very common throughout the project and so it may pop up again. Removing this usage doesn't guarantee you won't run into issues in the future. Having said that,

The Usage of StringUtils can easily be replaced.

Would you like to submit a PR? We're happy to look at improving this situation since the crypto module definitely has many uses such as yours.