Grails Spring-Security -how to compare passwords-

Asked 9/6, 2014 at 7:56 Answered 6/9, 2021 at 14:43

Im using SpringSecurity 2.0-RC2 and want users to give the possibilty to change their passwords while they are online.

My User domain class has the following

def beforeInsert() {
    encodePassword()
}

def beforeUpdate() {
    if (isDirty('password')) {
        encodePassword()
    }
}

protected void encodePassword() {
    password = springSecurityService.encodePassword(password)
}

To check whether the user was enterering the correct current password i was doing the following in a controller:

if (springSecurityService.encodePassword(params.currentPassword) == user.password) {

... but surprsingly (for me) the check always fails. Even more strange if im doing this:

            println springSecurityService.encodePassword(params.currentPassword)
            println springSecurityService.encodePassword(params.currentPassword)

i receive the following in the console

$2a$10$sWt7mUSHPFT.Np6m.gXyl.h8tWqblJbwtzQ6EQeMHxXMoGwOffC3e $2a$10$lwHz1SkNlW8ibznt.mOiruAg5eG/BTtsjM7ChyYVBvamRcrL8tucm

(like there would be a salt - but i didnt configure one myself)

My Settings are more or less the default settings; except the package names of the three domain classes.

As the documention is down since severely days im asking here if somebody has a idea what im doing wrong...

Padus answered 9/6, 2014 at 7:56 Comment(0)

Try this

def passwordEncoder
...
passwordEncoder.isPasswordValid(user.password, params.currentPassword, null)

See this post for more detail.

Colophon answered 9/6, 2014 at 8:7 Comment(2)

Thanks! Do you have any idea why params.currentPassword == springSecurityService.encodePassword(password) doesn't work? – Aesthetically 10/6, 2016 at 16:15

It does not work for me. I am using Grails 3.3.0 and spring security core :3.2.0.M1 . In the database h2 I see the passwords are hashed starting with $2 which I don't think could be a reversible process to get the plain password. Anyway, this method passwordEncoder.isPasswordValid(user.password, params.currentPassword, null) does not help. – Muscadel 19/9, 2017 at 21:15

def springSecurityService
if(springSecurityService?.passwordEncoder?.matches(currentPassword , 
currentUser.password )){
 println("password matched")
}

Whereas: currentPassword = raw/not encoded password

currentUser.password = encoded password

Gopak answered 6/9, 2021 at 14:43 Comment(1)

Yes, this works in Grails 4.0.11 too. Needed this to add a change password form and verify current password – Imparisyllabic 8/3, 2022 at 7:49

The other way to do with out be to use :


new BCryptPasswordEncoder().matches(plainPassword,encodedUserPassword);

where plain password is the raw password value and encoded password is the password that has been hashed by springSecurityService

Alicyclic answered 10/6, 2021 at 10:46 Comment(1)

Works, but if your password in database is like {bcrypt}$2a$10$vlzlC1vPDj5DKc3WYnOeE you need to remove {brcrypt} before to use matches. – Nannie 19/9, 2022 at 2:39

-1

def springSecurityService


if(user.password == springSecurityService.encodePassword(params.currentPassword)){
  println("User Password and params password is same")
} else {
  println("User Password and params password are not equal")
}

Simpson answered 9/6, 2014 at 11:31 Comment(0)

Recommended topics

Hot tags