alexgorbatchev

Friday, May 29, 2015

Grails 3 App with Security (Part 3) - Password Encoding with Bcrypt

This is the third post in the Grails 3 App with Security series, so if you have questions about dependencies, please consult the the first and second posts. In this post we will be adding BCrypt password encoding to our GORM-based user and authentication provider. As for the previous steps, my github repository for this series https://github.com/dspies/grails-3-with-security contains a tag ('GORM-based auth with bcrypt') with this code below.

To demonstrate that the application is encoding the password with BCrypt we will use the dbConsole provided in Grails. However, this interface uses frames and does not handle CSRF tokens, so we need to do a little configuration to display the dbConsole. I would suggest reverting these changes if you plan to put your application into production as they disable CSRF and frame protection. With those warnings in place, let's make the changes.

grails-app/init/simpleappwithsecurity/SecurityConfiguration.groovy

At this point, when you run the app you should be able to navigate to http://localhost:8080/dbconsole/ and see the H2 web-client. Change the JDBC URL if necessary to connect to the in-memory database (Mine is jdbc:h2:mem:devDb;MVCC=TRUE;LOCK_TIMEOUT=10000;DB_CLOSE_ON_EXIT=FALSE) and connect. Now inside the H2 client, when you look at the records in the USER table, you will see the passwords are stored in plain-text. That is not good, but easily fixed.

Adding Password Encoding (BCrypt)

In order to add password encoding to our application, we need to do 3 things:

  1. Create a password encoder bean
  2. Add code to encode our passwords when creating/updating user's passwords
  3. Tell our authentication provider what password encoding we are using, so it can appropriately match existing passwords

Create a Password Encoding bean

Spring Security already comes with a BCrypt password encoder, so we just need to wire it up in our Spring beans. Add the following code to resources.groovy

grails-app/conf/spring/resources.groovy

Encode passwords when creating/updating user's passwords

Next, we need to utilize this bean when creating a user or updating a user's password. Again, we will raid the Spring-Security-Core plugin from Grails 2, and add some code to the insert and update hooks provided by GORM to encode the user's password before saving/updating the user object.

grails-app/domain/example/User.groovy

Configure Authentication Provider

Finally, we need to tell the authentication provider what password encoding we are using, so it can appropriately match the user credentials when they try to authenticate. Fortunately, all we have to do is add a few lines to the SecurityConfiguration and we are done.

grails-app/init/simpleappwithsecurity/SecurityConfiguration.groovy

2 comments:

  1. Hi,

    I've read all of your tutorial and they are absolutely great.
    I was just wondering is there going to be a tutorial about e-mail confirmation. When user registers it sends verification link to e-mail

    ReplyDelete
  2. Yeah registration was one of the key features of the sprint security UI plugin for Grails 2.x
    I also would love a tutorial about that :)

    ReplyDelete