Grails Spring-Security -how to compare passwords-

Question

Im using SpringSecurity 2.0-RC2 and want users to give the possibilty to change their passwords while they are online.

My User domain class has the following

def beforeInsert() {
    encodePassword()
}

def beforeUpdate() {
    if (isDirty('password')) {
        encodePassword()
    }
}

protected void encodePassword() {
    password = springSecurityService.encodePassword(password)
}

To check whether the user was enterering the correct current password i was doing the following in a controller:

if (springSecurityService.encodePassword(params.currentPassword) == user.password) {    

... but surprsingly (for me) the check always fails. Even more strange if im doing this:

            println springSecurityService.encodePassword(params.currentPassword)
            println springSecurityService.encodePassword(params.currentPassword)

i receive the following in the console

$2a$10$sWt7mUSHPFT.Np6m.gXyl.h8tWqblJbwtzQ6EQeMHxXMoGwOffC3e $2a$10$lwHz1SkNlW8ibznt.mOiruAg5eG/BTtsjM7ChyYVBvamRcrL8tucm

(like there would be a salt - but i didnt configure one myself)

My Settings are more or less the default settings; except the package names of the three domain classes.

As the documention is down since severely days im asking here if somebody has a idea what im doing wrong...

Answer 1

def springSecurityService
if(springSecurityService?.passwordEncoder?.matches(currentPassword , 
currentUser.password )){
 println("password matched")
}

Whereas: currentPassword = raw/not encoded password

currentUser.password = encoded password

Answer 2

Try this

def passwordEncoder
...
passwordEncoder.isPasswordValid(user.password, params.currentPassword, null)

See this post for more detail.