This is the third post in the Grails 3 App with Security series, so if you have questions about dependencies, please consult the the first and second posts. In this post we will be adding BCrypt password encoding to our GORM-based user and authentication provider. As for the previous steps, my github repository for this series https://github.com/dspies/grails-3-with-security contains a tag ('GORM-based auth with bcrypt') with this code below.
To demonstrate that the application is encoding the password with BCrypt we will use the dbConsole provided in Grails. However, this interface uses frames and does not handle CSRF tokens, so we need to do a little configuration to display the dbConsole. I would suggest reverting these changes if you plan to put your application into production as they disable CSRF and frame protection. With those warnings in place, let's make the changes.
grails-app/init/simpleappwithsecurity/SecurityConfiguration.groovy
| ... | |
| @Override | |
| protected void configure(HttpSecurity http) throws Exception { | |
| http | |
| .authorizeRequests() | |
| .antMatchers('/admin/**').hasAnyRole('ADMIN') | |
| .antMatchers('/home/**').hasAnyRole('USER', 'ADMIN') | |
| .antMatchers('/').permitAll() | |
| .and() | |
| .formLogin().permitAll() | |
| .and() | |
| .logout().permitAll() | |
| // Added *ONLY* to display the dbConsole. | |
| // Best not to do this in production. If you need frames, it would be best to use | |
| // http.headers().frameOptions().addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)); | |
| // or in Spring Security 4, changing .disable() to .sameOrigin() | |
| http.headers().frameOptions().disable() | |
| // Again, do not do this in production unless you fully understand how to mitigate Cross-Site Request Forgery | |
| // https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet | |
| http.csrf().disable() | |
| } | |
| ... |
At this point, when you run the app you should be able to navigate to http://localhost:8080/dbconsole/ and see the H2 web-client. Change the JDBC URL if necessary to connect to the in-memory database (Mine is jdbc:h2:mem:devDb;MVCC=TRUE;LOCK_TIMEOUT=10000;DB_CLOSE_ON_EXIT=FALSE) and connect. Now inside the H2 client, when you look at the records in the USER table, you will see the passwords are stored in plain-text. That is not good, but easily fixed.
Adding Password Encoding (BCrypt)
In order to add password encoding to our application, we need to do 3 things:
- Create a password encoder bean
- Add code to encode our passwords when creating/updating user's passwords
- Tell our authentication provider what password encoding we are using, so it can appropriately match existing passwords
Create a Password Encoding bean
Spring Security already comes with a BCrypt password encoder, so we just need to wire it up in our Spring beans. Add the following code to resources.groovy
grails-app/conf/spring/resources.groovy
| import example.GormUserDetailsService | |
| import simpleappwithsecurity.SecurityConfiguration | |
| import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder | |
| beans = { | |
| webSecurityConfiguration(SecurityConfiguration) | |
| passwordEncoder(BCryptPasswordEncoder) | |
| userDetailsService(GormUserDetailsService) | |
| } |
Encode passwords when creating/updating user's passwords
Next, we need to utilize this bean when creating a user or updating a user's password. Again, we will raid the Spring-Security-Core plugin from Grails 2, and add some code to the insert and update hooks provided by GORM to encode the user's password before saving/updating the user object.
grails-app/domain/example/User.groovy
| //unnecessary if passwordEncoder is defined `def passwordEncoder` | |
| import org.springframework.security.crypto.password.PasswordEncoder | |
| class User { | |
| //This could be defined as `def passwordEncoder` as well and the import would be unnecessary | |
| PasswordEncoder passwordEncoder | |
| static transients = ['passwordEncoder'] | |
| ... | |
| def beforeInsert() { | |
| encodePassword() | |
| } | |
| def beforeUpdate() { | |
| if (isDirty('password')) { | |
| encodePassword() | |
| } | |
| } | |
| protected void encodePassword() { | |
| password = passwordEncoder.encode(password) | |
| } | |
| } |
Configure Authentication Provider
Finally, we need to tell the authentication provider what password encoding we are using, so it can appropriately match the user credentials when they try to authenticate. Fortunately, all we have to do is add a few lines to the SecurityConfiguration and we are done.
grails-app/init/simpleappwithsecurity/SecurityConfiguration.groovy
| ... | |
| //unnecessary if passwordEncoder is defined as `def passwordEncoder` | |
| import org.springframework.security.crypto.password.PasswordEncoder | |
| ... | |
| //Could also be defined as `def passwordEncoder` | |
| @Autowired | |
| PasswordEncoder passwordEncoder | |
| @Autowired | |
| protected void globalConfigure(AuthenticationManagerBuilder auth) throws Exception { | |
| auth | |
| .userDetailsService(userDetailsService) | |
| .passwordEncoder(passwordEncoder) | |
| } | |
| } |
Hi,
ReplyDeleteI've read all of your tutorial and they are absolutely great.
I was just wondering is there going to be a tutorial about e-mail confirmation. When user registers it sends verification link to e-mail
Yeah registration was one of the key features of the sprint security UI plugin for Grails 2.x
ReplyDeleteI also would love a tutorial about that :)