As I was getting started on a Grails project, I was impressed with how easily the Acegi Spring Security plugin integrated with my project. However, after adding a few users with the same password, I realized the passwords were not being salted with user properties because all of the hashes were the same.
In order to add a Spring ReflectionSaltSource to our Grails authenticationDao, we'll need to start by declaring the salt source in our resources.groovy file.
import org.springframework.security.providers.dao.salt.ReflectionSaltSource
beans = {
saltSource( ReflectionSaltSource ) {
userPropertyToUse = "username"
}
} The code above creates a saltSource bean that we can use for dependency injection throughout our Grails project. The next step we need to take is to inject our ReflectionSaltSource into the daoAuthenticationProvider. I chose to do this within the bootstrap.groovy file. Below is a sample of my BootStrap.groovy.
class BootStrap {
def daoAuthenticationProvider
def saltSource
def init = { servletContext ->
daoAuthenticationProvider.saltSource = saltSource
}
def destroy = {}
}
We have now setup Acegi authentication to use our ReflectionSaltSource using the username property. However, one more gotcha remains. If you generated the RegistrationController using the Acegi plugin, you'll need to change how it encodes passwords for new users. Otherwise, it will continue to encode passwords the old way and authentication will never succeed.
In the RegistrationController, you'll see where it is calling on the authenticateService.encodePassword method to encode new passwords. Simply change that call to use the daoAuthenticationProvider's passwordEncoder like so:
daoAuthenticationProvider.passwordEncoder.encodePassword( passwd, username )
Now all of your users' password hashes will be salted with their username. Keep in mind, that you can't allow users to change their usernames otherwise, they will not be able to login. This simple step makes your Grails application more secure as intruders will not easily be able to identify common password hashes if they get access to your database.
1 comments:
Great, I was trying use salt with grails but I couldn't figure out how to do it. Thanks.
Post a Comment