Menu
In Grails 3.0, how do you specify that Spring Boot Security should use BCrypt for password encoding?
The following lines should provide a sense of what I think needs to be done (but I'm mostly just guessing):
import org.springframework.security.crypto.password.PasswordEncoder
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
PasswordEncoder passwordEncoder
passwordEncoder(BCryptPasswordEncoder)
My application loads spring-boot-starter-security as a dependency:
build.gradle
dependencies {
...
compile "org.springframework.boot:spring-boot-starter-security"
And I have a service wired up for userDetailsService using:
conf/spring/resources.groovy
import com.example.GormUserDetailsService
import com.example.SecurityConfig
beans = {
webSecurityConfiguration(SecurityConfig)
userDetailsService(GormUserDetailsService)
}
210
There are a few encoding mechanisms supported by Spring Security, and for this tutorial, we'll use BCrypt, as it's usually the best solution available. Most of the other mechanisms, such as the MD5PasswordEncoder and ShaPasswordEncoder, use weaker algorithms and are now deprecated.
BCrypt algorithm In this algorithm, the password to be encoded goes through the following steps: The password is first salted, which means a random sequence of characters is added to it. The password is then hashed. The hashing process keeps iterating itself for the specified number of rounds, called the cost factor.
Spring Security provides password encoding feature using the PasswordEncoder interface. It's a one way transformation, means you can only encode the password, but there is no way to decode the password back to the plaintext form.
Class NoOpPasswordEncoder. Deprecated. This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder.
I have the following code in grails-app/conf/spring/resources.groovy
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
beans = {
bcryptEncoder(BCryptPasswordEncoder)
}
and I have a java file which does the configuration as described by spring-security. It should be possible to do it in groovy too, but I did it in java.
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
BCryptPasswordEncoder bcryptEncoder;
@Autowired
UserDetailsService myDetailsService
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// userDetailsService should be changed to your user details service
// password encoder being the bean defined in grails-app/conf/spring/resources.groovy
auth.userDetailsService(myDetailsService)
.passwordEncoder(bcryptEncoder);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
