CODEWITHSUNDEEP
grailsspring-security
John Little
John Little

Reputation: 12345

springSecurityService how to NOT store passwords in cleartext?

This tutorial:

http://spring.io/blog/2010/08/11/simplified-spring-security-with-grails/

Says you should create users like this:

def adminUser = SecUser.findByUsername('admin') ?: new SecUser(
            username: 'admin',
            password: springSecurityService.encodePassword('admin'),
            enabled: true).save(failOnError: true)

However, this does not work. It only works if you do this:

           password: 'admin'

Which I am assuming (but could be wrong) that stores the password in the internal DB in plain text (not hashed).

Is there a way to tell spring to encrypt or hash passwords? Its not in any of the tutorials, and can't find it in the manual Grails 2.3.6, security core 2.0-RC2 & UI, default install.

I have seen it said that grails by default does hash with bcrypt, but I dont know how to verify this. I guess I need to install mysql, tell grails to use this, then I can query the values.

Upvotes: 0

Views: 218

Answers (1)

Joshua Moore
Joshua Moore

Reputation: 24776

Take a deep breath. By default the spring security plugin for Grails (recent versions) isn't going to store you passwords in clear text.

Take a look at your SecUser domain class and you will see that it's handling the encryption of the password for you. You can also see an example of this in the documentation.

This is directly from the documentation.

package com.mycompany.myapp
class User {

   transient springSecurityService

   String username
   String password
   boolean enabled = true
   boolean accountExpired
   boolean accountLocked
   boolean passwordExpired

   static transients = ['springSecurityService']

   static constraints = {
      username blank: false, unique: true
      password blank: false
   }

   static mapping = {
      password column: '`password`'
   }

   Set<Role> getAuthorities() {
      UserRole.findAllByUser(this).collect { it.role } as Set
   }

   def beforeInsert() {
      encodePassword()
   }

   def beforeUpdate() {
      if (isDirty('password')) {
         encodePassword()
      }
   }

   protected void encodePassword() {
      password = springSecurityService.encodePassword(password)
   }
}

If you haven't already read through the documentation I suggest you do. It's well written and will likely answer a lot of other questions you have about the plugin.

Upvotes: 5

Related Questions