开发者

Validating encrypted passwords in grails

问答 作者:

In grails I can set the password field to have a minimum size constraint of 5 (arbitrary). The problem is that I use spring security service to encode my password开发者_如何学C and the encoded/encrypted password is much longer than 5 characters almost no matter what value I put in.

Another forum response suggested doing that validation in the save method. Has anyone else tackled this problem and knows a way around it?

Spring security does not provide a decode method (probably for security purposes)... so I guess one idea would be to get a different password encoder that could decode the password for validation purposes... but my instinct says that spring security leaves this out for a good reason and maybe I should too...

static constraints = {
    username(blank: false, unique: true)
    password(minSize: 5, blank: false, unique: true,
        validator: { passwd, user ->
            return passwd != user.username
    })
    passwordRepeat(nullable: false,
    validator: { passwd2, user ->
        return passwd2 == user.password 
    })
}

So I'm using the static constraints to validate as most other variables are validated this way.

My apologies for the unreadable comment.

Thank you, -Asaf

Edit: I think a simple fix is as mentioned above, doing the validation in the save method (before encryption), but I just feel like someone somewhere must have had to deal with this issue before. I mean there's so many websites that require passwords and that yell at you if it's too short, if it doesn't contain both lowercase and uppercase letters, if it doesn't have a symbol... How do all of them do the various validation methods they use?

you can't decode what Spring Security encodes... That's md5 or sha-256 !!! That's exactly the purpose of the crypting process. Then, you can't know what's the password even if the databases files are stolen

To validate passwords, you need to prompt the user for a clear one, (transmit in https, please) and then encode it with the same algorithm. Then, you have to compare it to the encoded password you stored

Use the class DigestUtils to encode your received password with the same algorithm used the first time. This is a Spring Security Config grails.plugins.springsecurity.password.algorithm

And yes, you have to validate before saving... For that we have added a metaclass in Bootstrap

String.metaClass.validateAsPassword

to have a unique point from which validating our passwords before saving them

继续阅读:encodeencryptiongrailspasswordsvalidation

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9