Merge branch '6.3.x'

Author: jgrandja

cas/src/main/java/org/springframework/security/cas/userdetails/GrantedAuthorityFromAssertionAttributesUserDetailsService.java

@@ -18,6 +18,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 
 import org.apereo.cas.client.validation.Assertion;
 
@@ -73,7 +74,8 @@ protected UserDetails loadUserDetails(final Assertion assertion) {
 	}
 
 	private SimpleGrantedAuthority createSimpleGrantedAuthority(Object o) {
-		return new SimpleGrantedAuthority(this.convertToUpperCase ? o.toString().toUpperCase() : o.toString());
+		return new SimpleGrantedAuthority(
+				this.convertToUpperCase ? o.toString().toUpperCase(Locale.ROOT) : o.toString());
 	}
 
 	/**

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 
 import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.ServletRequest;
@@ -313,7 +314,7 @@ void setCsrfIgnoreRequestMatchers(List<BeanDefinition> requestMatchers) {
 
 	// Needed to account for placeholders
 	static String createPath(String path, boolean lowerCase) {
-		return lowerCase ? path.toLowerCase() : path;
+		return lowerCase ? path.toLowerCase(Locale.ENGLISH) : path;
 	}
 
 	BeanMetadataElement getSecurityContextHolderStrategyForAuthenticationFilters() {

core/src/main/java/org/springframework/security/authentication/AuthenticationObservationConvention.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authentication;
 
+import java.util.Locale;
+
 import io.micrometer.common.KeyValues;
 import io.micrometer.observation.Observation;
 import io.micrometer.observation.ObservationConvention;
@@ -53,7 +55,7 @@ public String getContextualName(AuthenticationObservationContext context) {
 			if (authenticationType.endsWith("Authentication")) {
 				authenticationType = authenticationType.substring(0, authenticationType.lastIndexOf("Authentication"));
 			}
-			return "authenticate " + authenticationType.toLowerCase();
+			return "authenticate " + authenticationType.toLowerCase(Locale.ENGLISH);
 		}
 		return "authenticate";
 	}

core/src/main/java/org/springframework/security/core/authority/mapping/SimpleAttributes2GrantedAuthoritiesMapper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -79,10 +79,10 @@ public List<GrantedAuthority> getGrantedAuthorities(Collection<String> attribute
 	 */
 	private GrantedAuthority getGrantedAuthority(String attribute) {
 		if (isConvertAttributeToLowerCase()) {
-			attribute = attribute.toLowerCase(Locale.getDefault());
+			attribute = attribute.toLowerCase(Locale.ROOT);
 		}
 		else if (isConvertAttributeToUpperCase()) {
-			attribute = attribute.toUpperCase(Locale.getDefault());
+			attribute = attribute.toUpperCase(Locale.ROOT);
 		}
 		if (isAddPrefixIfAlreadyExisting() || !attribute.startsWith(getAttributePrefix())) {
 			return new SimpleGrantedAuthority(getAttributePrefix() + attribute);

core/src/main/java/org/springframework/security/core/authority/mapping/SimpleAuthorityMapper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.Locale;
 import java.util.Set;
 
 import org.springframework.beans.factory.InitializingBean;
@@ -71,10 +72,10 @@ public Set<GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthorit
 
 	private GrantedAuthority mapAuthority(String name) {
 		if (this.convertToUpperCase) {
-			name = name.toUpperCase();
+			name = name.toUpperCase(Locale.ROOT);
 		}
 		else if (this.convertToLowerCase) {
-			name = name.toLowerCase();
+			name = name.toLowerCase(Locale.ROOT);
 		}
 		if (this.prefix.length() > 0 && !name.startsWith(this.prefix)) {
 			name = this.prefix + name;

core/src/main/java/org/springframework/security/core/userdetails/MapReactiveUserDetailsService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Locale;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
@@ -91,7 +92,7 @@ private UserDetails withNewPassword(UserDetails userDetails, String newPassword)
 	}
 
 	private String getKey(String username) {
-		return username.toLowerCase();
+		return username.toLowerCase(Locale.ROOT);
 	}
 
 }

core/src/main/java/org/springframework/security/core/userdetails/memory/UserAttributeEditor.java

@@ -19,6 +19,7 @@
 import java.beans.PropertyEditorSupport;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 
 import org.springframework.util.StringUtils;
 
@@ -45,10 +46,10 @@ public void setAsText(String s) throws IllegalArgumentException {
 				userAttrib.setPassword(currentToken);
 			}
 			else {
-				if (currentToken.toLowerCase().equals("enabled")) {
+				if (currentToken.toLowerCase(Locale.ENGLISH).equals("enabled")) {
 					userAttrib.setEnabled(true);
 				}
-				else if (currentToken.toLowerCase().equals("disabled")) {
+				else if (currentToken.toLowerCase(Locale.ENGLISH).equals("disabled")) {
 					userAttrib.setEnabled(false);
 				}
 				else {

core/src/main/java/org/springframework/security/provisioning/InMemoryUserDetailsManager.java

@@ -19,6 +19,7 @@
 import java.util.Collection;
 import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Properties;
 
@@ -97,35 +98,33 @@ private User createUserDetails(String name, UserAttribute attr) {
 	@Override
 	public void createUser(UserDetails user) {
 		Assert.isTrue(!userExists(user.getUsername()), "user should not exist");
-
 		if (user instanceof MutableUserDetails mutable) {
-			this.users.put(user.getUsername().toLowerCase(), mutable);
+			this.users.put(user.getUsername().toLowerCase(Locale.ROOT), mutable);
 		}
 		else {
-			this.users.put(user.getUsername().toLowerCase(), new MutableUser(user));
+			this.users.put(user.getUsername().toLowerCase(Locale.ROOT), new MutableUser(user));
 		}
 	}
 
 	@Override
 	public void deleteUser(String username) {
-		this.users.remove(username.toLowerCase());
+		this.users.remove(username.toLowerCase(Locale.ROOT));
 	}
 
 	@Override
 	public void updateUser(UserDetails user) {
 		Assert.isTrue(userExists(user.getUsername()), "user should exist");
-
 		if (user instanceof MutableUserDetails mutable) {
-			this.users.put(user.getUsername().toLowerCase(), mutable);
+			this.users.put(user.getUsername().toLowerCase(Locale.ROOT), mutable);
 		}
 		else {
-			this.users.put(user.getUsername().toLowerCase(), new MutableUser(user));
+			this.users.put(user.getUsername().toLowerCase(Locale.ROOT), new MutableUser(user));
 		}
 	}
 
 	@Override
 	public boolean userExists(String username) {
-		return this.users.containsKey(username.toLowerCase());
+		return this.users.containsKey(username.toLowerCase(Locale.ROOT));
 	}
 
 	@Override
@@ -156,14 +155,14 @@ public void changePassword(String oldPassword, String newPassword) {
 	@Override
 	public UserDetails updatePassword(UserDetails user, String newPassword) {
 		String username = user.getUsername();
-		MutableUserDetails mutableUser = this.users.get(username.toLowerCase());
+		MutableUserDetails mutableUser = this.users.get(username.toLowerCase(Locale.ROOT));
 		mutableUser.setPassword(newPassword);
 		return mutableUser;
 	}
 
 	@Override
 	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
-		UserDetails user = this.users.get(username.toLowerCase());
+		UserDetails user = this.users.get(username.toLowerCase(Locale.ROOT));
 		if (user == null) {
 			throw new UsernameNotFoundException(username);
 		}

crypto/src/main/java/org/springframework/security/crypto/password/LdapShaPasswordEncoder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import java.security.MessageDigest;
 import java.util.Base64;
+import java.util.Locale;
 
 import org.springframework.security.crypto.codec.Utf8;
 import org.springframework.security.crypto.keygen.BytesKeyGenerator;
@@ -50,11 +51,11 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
 
 	private static final String SSHA_PREFIX = "{SSHA}";
 
-	private static final String SSHA_PREFIX_LC = SSHA_PREFIX.toLowerCase();
+	private static final String SSHA_PREFIX_LC = SSHA_PREFIX.toLowerCase(Locale.ENGLISH);
 
 	private static final String SHA_PREFIX = "{SHA}";
 
-	private static final String SHA_PREFIX_LC = SHA_PREFIX.toLowerCase();
+	private static final String SHA_PREFIX_LC = SHA_PREFIX.toLowerCase(Locale.ENGLISH);
 
 	private BytesKeyGenerator saltGenerator;
 

etc/checkstyle/checkstyle-suppressions.xml

@@ -44,4 +44,8 @@
 
 	<!-- CSS content -->
 	<suppress files="CssUtils\.java" checks="SpringLeadingWhitespace"/>
+
+	<!-- Ignore String.toUpperCase() and String.toLowerCase() checks in tests -->
+	<suppress files="[\\/]src[\\/]test[\\/]" checks="RegexpSinglelineJava" id="toLowerCaseWithoutLocale"/>
+	<suppress files="[\\/]src[\\/]test[\\/]" checks="RegexpSinglelineJava" id="toUpperCaseWithoutLocale"/>
 </suppressions>