This is the third post in the Grails 3 App with Security series, so if you have questions about dependencies, please consult the the first and second posts. In this post we will be adding BCrypt password encoding to our GORM-based user and authentication provider. As for the previous steps, my github repository for this series https://github.com/dspies/grails-3-with-security contains a tag ('GORM-based auth with bcrypt') with this code below.
To demonstrate that the application is encoding the password with BCrypt we will use the dbConsole provided in Grails. However, this interface uses frames and does not handle CSRF tokens, so we need to do a little configuration to display the dbConsole. I would suggest reverting these changes if you plan to put your application into production as they disable CSRF and frame protection. With those warnings in place, let's make the changes.
grails-app/init/simpleappwithsecurity/SecurityConfiguration.groovy
At this point, when you run the app you should be able to navigate to http://localhost:8080/dbconsole/ and see the H2 web-client. Change the JDBC URL if necessary to connect to the in-memory database (Mine is jdbc:h2:mem:devDb;MVCC=TRUE;LOCK_TIMEOUT=10000;DB_CLOSE_ON_EXIT=FALSE) and connect. Now inside the H2 client, when you look at the records in the USER table, you will see the passwords are stored in plain-text. That is not good, but easily fixed.
Adding Password Encoding (BCrypt)
In order to add password encoding to our application, we need to do 3 things:
- Create a password encoder bean
- Add code to encode our passwords when creating/updating user's passwords
- Tell our authentication provider what password encoding we are using, so it can appropriately match existing passwords
Create a Password Encoding bean
Spring Security already comes with a BCrypt password encoder, so we just need to wire it up in our Spring beans. Add the following code to resources.groovy
grails-app/conf/spring/resources.groovy
Encode passwords when creating/updating user's passwords
Next, we need to utilize this bean when creating a user or updating a user's password. Again, we will raid the Spring-Security-Core plugin from Grails 2, and add some code to the insert and update hooks provided by GORM to encode the user's password before saving/updating the user object.
grails-app/domain/example/User.groovy
Configure Authentication Provider
Finally, we need to tell the authentication provider what password encoding we are using, so it can appropriately match the user credentials when they try to authenticate. Fortunately, all we have to do is add a few lines to the SecurityConfiguration and we are done.
Hi,
ReplyDeleteI've read all of your tutorial and they are absolutely great.
I was just wondering is there going to be a tutorial about e-mail confirmation. When user registers it sends verification link to e-mail
Yeah registration was one of the key features of the sprint security UI plugin for Grails 2.x
ReplyDeleteI also would love a tutorial about that :)