jenkinsci · MarkEWaite · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/bom/pom.xml b/bom/pom.xml
@@ -63,15 +63,15 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.springframework</groupId>
         <artifactId>spring-framework-bom</artifactId>
-        <version>6.2.16</version>
+        <version>7.0.5</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
       <dependency>
         <!-- https://docs.spring.io/spring-security/reference/6.3/getting-spring-security.html#getting-maven-no-boot -->
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-bom</artifactId>
-        <version>6.5.8</version>
+        <version>7.0.3</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>

diff --git a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
@@ -456,7 +456,7 @@ private SignupInfo validateAccountCreationForm(StaplerRequest2 req, boolean vali
         }
 
         try {
-            PASSWORD_HASH_ENCODER.encode(si.password1);
+            PASSWORD_HASH_ENCODER.encode2(si.password1);
         }  catch (RuntimeException ex) {
             si.errors.put("password1", ex.getMessage());
         }
@@ -853,7 +853,7 @@ public Details newInstance(StaplerRequest2 req, JSONObject formData) throws Form
 
                 // The password is being changed
                 try {
-                    PASSWORD_HASH_ENCODER.encode(pwd);
+                    PASSWORD_HASH_ENCODER.encode2(pwd);
                 } catch (RuntimeException ex) {
                     throw new FormException(ex.getMessage(), "user.password");
                 }
@@ -934,9 +934,9 @@ static class JBCryptEncoder extends BCryptPasswordEncoder implements PasswordHas
         private static final Pattern BCRYPT_PATTERN = Pattern.compile("^\\$2a\\$([0-9]{2})\\$.{53}$");
 
         @Override
-        public String encode(CharSequence rawPassword) {
+        public String encode2(CharSequence rawPassword) {
             try {
-                return super.encode(rawPassword);
+                return encode(rawPassword);
             } catch (IllegalArgumentException ex) {
                 if (ex.getMessage().equals("password cannot be more than 72 bytes")) {
                     if (rawPassword.toString().matches("\\A\\p{ASCII}+\\z")) {

diff --git a/core/src/main/java/hudson/security/PasswordHashEncoder.java b/core/src/main/java/hudson/security/PasswordHashEncoder.java
@@ -27,4 +27,8 @@
 
 interface PasswordHashEncoder extends PasswordEncoder {
      boolean isHashValid(String hash);
+
+     default String encode2(CharSequence rawPassword) {
+         return encode(rawPassword);
+     }
 }
diff --git a/core/src/test/java/hudson/security/HudsonPrivateSecurityRealmTest.java b/core/src/test/java/hudson/security/HudsonPrivateSecurityRealmTest.java
@@ -160,17 +160,24 @@ void testJBCryptPasswordMatching() {
     @Issue("JENKINS-75533")
     @Test
     void ensureExpectedMessageAscii() {
-        final IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> HudsonPrivateSecurityRealm.PASSWORD_HASH_ENCODER.encode(
+        final IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> HudsonPrivateSecurityRealm.PASSWORD_HASH_ENCODER.encode2(
                 "1234567890123456789012345678901234567890123456789012345678901234567890123"));
         assertThat(ex.getMessage(), is(Messages.HudsonPrivateSecurityRealm_CreateAccount_BCrypt_PasswordTooLong_ASCII()));
     }
 
     @Issue("JENKINS-75533")
     @Test
     void ensureExpectedMessageEmoji() {
-        final IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> HudsonPrivateSecurityRealm.PASSWORD_HASH_ENCODER.encode(
+        final IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> HudsonPrivateSecurityRealm.PASSWORD_HASH_ENCODER.encode2(
                 "\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20" +
                         "\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20\uD83E\uDD20")); // 🤠
         assertThat(ex.getMessage(), is(Messages.HudsonPrivateSecurityRealm_CreateAccount_BCrypt_PasswordTooLong()));
     }
+
+    @Test
+    void ensureExpectedMessageFromEncode() {
+        final IllegalArgumentException ex = assertThrows(IllegalArgumentException.class, () -> HudsonPrivateSecurityRealm.PASSWORD_HASH_ENCODER.encode(
+                "1234567890123456789012345678901234567890123456789012345678901234567890123"));
+        assertThat(ex.getMessage(), is("password cannot be more than 72 bytes"));
+    }
 }
diff --git a/test/src/test/java/hudson/security/TokenBasedRememberMeServices2Test.java b/test/src/test/java/hudson/security/TokenBasedRememberMeServices2Test.java
@@ -33,6 +33,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@@ -126,7 +127,8 @@ void basicFlow() throws Exception {
         wc.executeOnServer(() -> {
             Authentication a = Jenkins.getAuthentication2();
             assertEquals("bob", a.getName());
-            assertEquals(Arrays.asList("authenticated", "myteam"), a.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()));
+            assertEquals(Arrays.asList("authenticated", "myteam"),
+                         a.getAuthorities().stream().map(GrantedAuthority::getAuthority).filter(authority -> !authority.equals(FactorGrantedAuthority.PASSWORD_AUTHORITY)).collect(Collectors.toList()));
             return null;
         });
     }

diff --git a/test/src/test/java/jenkins/security/LastGrantedAuthoritiesPropertyTest.java b/test/src/test/java/jenkins/security/LastGrantedAuthoritiesPropertyTest.java
@@ -18,6 +18,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -80,7 +81,7 @@ private void assertAuthorities(Authentication auth, String expected) {
     }
 
     private void _assertAuthorities(Collection<? extends GrantedAuthority> grantedAuthorities, String expected) {
-        List<String> authorities = grantedAuthorities.stream().map(GrantedAuthority::getAuthority).sorted().collect(Collectors.toList());
+        List<String> authorities = grantedAuthorities.stream().map(GrantedAuthority::getAuthority).filter(authority -> !authority.equals(FactorGrantedAuthority.PASSWORD_AUTHORITY)).sorted().collect(Collectors.toList());
 
         assertEquals(expected, String.join(":", authorities));
     }