Grails Spring-Security -how to compare passwords-

Question

Im using SpringSecurity 2.0-RC2 and want users to give the possibilty to change their passwords while they are online.

My User domain class has the following

def beforeInsert() {
    encodePassword()
}

def beforeUpdate() {
    if (isDirty('password')) {
        encodePassword()
    }
}

protected void encodePassword() {
    password = springSecurityService.encodePassword(password)
}

To check whether the user was enterering the correct current password i was doing the following in a controller:

if (springSecurityService.encodePassword(params.currentPassword) == user.password) {

... but surprsingly (for me) the check always fails. Even more strange if im doing this:

            println springSecurityService.encodePassword(params.currentPassword)
            println springSecurityService.encodePassword(params.currentPassword)

i receive the following in the console

$2a$10$sWt7mUSHPFT.Np6m.gXyl.h8tWqblJbwtzQ6EQeMHxXMoGwOffC3e $2a$10$lwHz1SkNlW8ibznt.mOiruAg5eG/BTtsjM7ChyYVBvamRcrL8tucm

(like there would be a salt - but i didnt configure one myself)

My Settings are more or less the default settings; except the package names of the three domain classes.

As the documention is down since severely days im asking here if somebody has a idea what im doing wrong...

score 17 · Accepted Answer · edited May 23 '17 at 12:25

17

Try this

def passwordEncoder
...
passwordEncoder.isPasswordValid(user.password, params.currentPassword, null)

See this post for more detail.

edited May 23 '17 at 12:25

Community

1
1

answered Jun 09 '14 at 08:07

MKB

7,587
9
45
71

Thanks! Do you have any idea why `params.currentPassword == springSecurityService.encodePassword(password)` doesn't work? – Alexander Suraphel Jun 10 '16 at 16:15
It does not work for me. I am using Grails 3.3.0 and spring security core :3.2.0.M1 . In the database h2 I see the passwords are hashed starting with $2 which I don't think could be a reversible process to get the plain password. Anyway, this method passwordEncoder.isPasswordValid(user.password, params.currentPassword, null) does not help. – JPerk Sep 19 '17 at 21:15

score 2 · Answer 2 · answered Sep 06 '21 at 14:43

2

def springSecurityService
if(springSecurityService?.passwordEncoder?.matches(currentPassword , 
currentUser.password )){
 println("password matched")
}

Whereas: currentPassword = raw/not encoded password

currentUser.password = encoded password

answered Sep 06 '21 at 14:43

dhiraj

53
2

Yes, this works in Grails 4.0.11 too. Needed this to add a change password form and verify current password – A.W. Mar 08 '22 at 07:49

score 1 · Answer 3 · answered Jun 10 '21 at 10:46

1

The other way to do with out be to use :


new BCryptPasswordEncoder().matches(plainPassword,encodedUserPassword);

where plain password is the raw password value and encoded password is the password that has been hashed by springSecurityService

answered Jun 10 '21 at 10:46

Lee Francis Williams

135
1
3
12

Works, but if your password in database is like {bcrypt}$2a$10$vlzlC1vPDj5DKc3WYnOeE you need to remove {brcrypt} before to use matches. – FrEqDe Sep 19 '22 at 02:39

score -1 · Answer 4 · answered Jun 09 '14 at 11:31

-1

def springSecurityService


if(user.password == springSecurityService.encodePassword(params.currentPassword)){
  println("User Password and params password is same")
} else {
  println("User Password and params password are not equal")
}

answered Jun 09 '14 at 11:31

Anand Kushwaha

457
4
15

Grails Spring-Security -how to compare passwords-

4 Answers4

Linked