How can I determine the algorithm used for hashing passwords in a Grails app using springsecurity?

Question

I have never used Grails (or Java for that matter). I am rebuilding an app, originally built with Grails, from the ground up using another language/framework. I would like to bring over existing users from the production DB. I have full access to the DB and password hashes. I also have access to the entire Grails source.

I have been able to figure out that the springsecurity plugin appears to be used. I have done simple searches in the project for keywords like SHA1, MD5, and bcrypt with no results. I have also searched the source for "grails.plugins.springsecurity.password.algorithm" and it does not appear.

Is there a common encryption used by springsecurity?

Any help would be appreciated.

Answer 1

search for documents containing

  "springSecurityService.encodePassword("

or

 "getEncodedPassword("

or

  ".encodeAsURLSafeBase64("

and in you "/domains/" directory sure is some file like

user.groovy 

wich could bring some light into context and maybe contains some helpfull methods in your "/controllers/" dir you could search for the controller that handles the registration, maybe it has a dependy for a service wich iss doing that /services/

Answer 2

According to the Spring Security Core plugin documentation, the default encryption is SHA-256.

That means it does something like this:

import java.security.MessageDigest

...

String password = "<password to be encrypted>";
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(password.getBytes("UTF-8"));