Reputation:
spring security encode password with bcrypt algorithm
i get something strange... in spring security for encode password..
i am trying to change my password and save it to database..but i always get error because defferent string..
like this..
in controller ..
println "password = "+oldPass
println "password 1 = "+springSecurityService.encodePassword('password')
println "password 2 = "+springSecurityService.encodePassword('password')
println "password = "+springSecurityService.encodePassword(oldPass)
and this ooutput
its strange...everytime i encodePassword, i will get different result.
i am using grails 3.0.5 and use bcrypt algorithm
grails.plugin.springsecurity.password.algorithm = 'bcrypt'
i put this line in application.groovy
like this
// Added by the Spring Security Core plugin:
grails.plugin.springsecurity.userLookup.userDomainClassName = 'com.akiong.security.User'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'com.akiong.security.UserRole'
grails.plugin.springsecurity.authority.className = 'com.akiong.security.Role'
grails.plugin.springsecurity.requestMap.className = 'com.akiong.security.RequestMap'
grails.plugin.springsecurity.securityConfigType = 'Requestmap'
grails.plugin.springsecurity.controllerAnnotations.staticRules = [
'/': ['permitAll'],
'/error': ['permitAll'],
'/index': ['permitAll'],
'/index.gsp': ['permitAll'],
'/shutdown': ['permitAll'],
'/assets/**': ['permitAll'],
'/**/js/**': ['permitAll'],
'/**/css/**': ['permitAll'],
'/**/images/**': ['permitAll'],
'/**/favicon.ico': ['permitAll']
]
grails.plugin.springsecurity.password.algorithm = 'bcrypt'
but when i create an user account with bootstrap and save it to database.. then i login ...it run with correctly..
Upvotes: 1
Views: 3815
Answers (1)
Reputation: 35961
It's a feature. bcrypt uses a random salt, so each time it generates a different hash even for same password.
If you want to check if entered password is valid, you need to use passwordEncoder.isPasswordvalid for Grails, like:
assert passwordEncoder.isPasswordValid(
'$2a$10$Qb7ENpWOSsFUS2UvwT1BRefZhn55roXPgUI8fjJRm6c/nR3JIQP8a',
'password', null)
assert passwordEncoder.isPasswordValid(
'$2a$10$sC3.yrmNn2VLS2Aer359rei/DxoLlwFq7s6ndAHm10ncyQpIr3MfO',
'password', null)
or for plain Spring Security passwordEncoder.matches:
assert passwordEncoder.matches('password',
'$2a$10$Qb7ENpWOSsFUS2UvwT1BRefZhn55roXPgUI8fjJRm6c/nR3JIQP8a')
assert passwordEncoder.matches('password',
'$2a$10$sC3.yrmNn2VLS2Aer359rei/DxoLlwFq7s6ndAHm10ncyQpIr3MfO')
To autowire passwordEncoder bean just define it as a property of your class:
def passwordEncoder
Upvotes: 3
Related Questions
- Spring Security - Encoded Password Does Not Look Like BCrypt
- spring security Encoded password does not look like BCrypt
- Decoding Spring security BCryptPasswordEncoder
- Spring security encoded password does not look like BCrypt while values are equals
- Spring Security - BcryptPasswordEncoder
- Configuring Spring Boot Security to use BCrypt password encoding in Grails 3.0
- Spring Security bcrypt encoding login is not working
- Using BCrypt password hashing with Spring Security Grails plugin
- Convert password hashing from SHA to bcrypt
- bcrypt integration in Grails using spring-security-bcrypt plugin