Lowercase username in InMemoryUserDetailsManager.changePassword

core/src/main/java/org/springframework/security/provisioning/InMemoryUserDetailsManager.java

@@ -150,7 +150,7 @@ public void changePassword(@Nullable String oldPassword, @Nullable String newPas
 		else {
 			this.logger.debug("No authentication manager set. Password won't be re-checked.");
 		}
-		MutableUserDetails user = this.users.get(username);
+		MutableUserDetails user = this.users.get(username.toLowerCase(Locale.ROOT));
 		Assert.state(user != null, "Current user doesn't exist in database.");
 		user.setPassword(newPassword);
 	}

core/src/test/java/org/springframework/security/provisioning/InMemoryUserDetailsManagerTests.java

@@ -123,6 +123,22 @@ public void changePasswordWhenCustomSecurityContextHolderStrategyThenUses() {
 		verify(strategy).getContext();
 	}
 
+	@Test
+	public void changePasswordWhenCurrentUsernameIsNotInLowercaseThenChangesPassword() {
+		UserDetails userNotLowerCase = User.withUserDetails(PasswordEncodedUser.user()).username("User").build();
+		InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(userNotLowerCase);
+		Authentication authentication = new UsernamePasswordAuthenticationToken("User", userNotLowerCase.getPassword(),
+				userNotLowerCase.getAuthorities());
+		SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
+		given(strategy.getContext()).willReturn(new SecurityContextImpl(authentication));
+		manager.setSecurityContextHolderStrategy(strategy);
+
+		String newPassword = "newPassword";
+		manager.changePassword(userNotLowerCase.getPassword(), newPassword);
+
+		assertThat(manager.loadUserByUsername("User").getPassword()).isEqualTo(newPassword);
+	}
+
 	@Test
 	public void createUserWhenUserAlreadyExistsThenException() {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.manager.createUser(this.user))