Spring Security UI Plugin
  1. Spring Security UI Plugin
  2. GPSPRINGSECURITYUI-27

UserController inconsistent with Spring Security Core 1.2 user domain logic

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: Grails-Spring-Security-UI 0.1.2
    • Labels:
      None

      Description

      The grails.plugins.springsecurity.ui.UserController actions for save and update are inconsistent with changes made to Spring Security Core domain model changes. When a new user is saved via create action, it encrypts the password via springSecurityService.encodePassword(...) before storing it within the user model instance. When the instance is saved, it fires the beforeInsert() event which double encrypts the password field.

      Instead, the UserController actions should store the params.password (perhaps after sanitizing it) directly into the user model password field. Then it becomes the responsibility of the user model to encrypt the password via springSecurityService.

        Activity

        Hide
        Jeff Hall added a comment -

        Unfortunately, I'm too new with Grails/plugins to create an effective integration test to show the issue. Would it be best to create a new grails app with the affected plugins installed, produce an integration test to show the issue, and the likely fix?

        Show
        Jeff Hall added a comment - Unfortunately, I'm too new with Grails/plugins to create an effective integration test to show the issue. Would it be best to create a new grails app with the affected plugins installed, produce an integration test to show the issue, and the likely fix?
        Show
        Andrew Taylor added a comment - Created a patch to fix this on github. See https://github.com/ataylor284/grails-spring-security-ui/commit/2098ec1e717bfdfc0c12cbb0ed8670e365806eb7
        Show
        Burt Beckwith added a comment - Fixed by https://github.com/grails-plugins/grails-spring-security-ui/commit/3f06543decb5fc723f626d323ce2f6188b9d16c5
        Hide
        Simon D added a comment -

        Burt, I've incorporated the latest zip of this plugin into my environment (and hacked in some logging to confirm the changes are active), but I still see the password being double encrypted.

        Show
        Simon D added a comment - Burt, I've incorporated the latest zip of this plugin into my environment (and hacked in some logging to confirm the changes are active), but I still see the password being double encrypted.
        Hide
        Burt Beckwith added a comment -

        The updated plugin hasn't been updated yet. The quickest fix is to disable password encryption in the User domain class by commenting out the beforeUpdate and beforeInsert methods.

        Show
        Burt Beckwith added a comment - The updated plugin hasn't been updated yet. The quickest fix is to disable password encryption in the User domain class by commenting out the beforeUpdate and beforeInsert methods.
        Hide
        Simon D added a comment -

        Thanks, that did the trick. Can I suggest capturing this simple workaround for this known issue somewhere prominent (e.g. http://grails.org/plugin/spring-security-ui) until a new release is available? I have wasted far too many hours over the past few days trying to get the most basic features of this plugin working. Having said that, really appreciate the effort that goes into creating and maintaining these components that make life easier for the rest of us!

        Show
        Simon D added a comment - Thanks, that did the trick. Can I suggest capturing this simple workaround for this known issue somewhere prominent (e.g. http://grails.org/plugin/spring-security-ui ) until a new release is available? I have wasted far too many hours over the past few days trying to get the most basic features of this plugin working. Having said that, really appreciate the effort that goes into creating and maintaining these components that make life easier for the rest of us!
        Hide
        Burt Beckwith added a comment -

        There's now a setting for whether to encrypt the password or not, as of version 0.2 of the plugin: grails.plugins.springsecurity.ui.encodePassword. Set it to false if you are encrypting in the domain class, and true if you're not and want the UI plugin to encrypt for you.

        Show
        Burt Beckwith added a comment - There's now a setting for whether to encrypt the password or not, as of version 0.2 of the plugin: grails.plugins.springsecurity.ui.encodePassword. Set it to false if you are encrypting in the domain class, and true if you're not and want the UI plugin to encrypt for you.
        Hide
        Sergey Ponomarev added a comment -

        This bug has a many of duplicates http://jira.grails.org/issues/?jql=project%20%3D%20GPSPRINGSECURITYUI%20AND%20text%20~%20%22encodePassword%22
        UI plugin isn't work out of the box and every user will get this problem. I also got it
        The reason is that encodePassword is "true" by default.
        IMHO we need to reopen this as a bug.
        I see two solution:
        1. Set encodePassword to "false" by default.
        2. Remove the password encoding logic from a plugin. The Spring Security Core should take care about password encoding.

        Show
        Sergey Ponomarev added a comment - This bug has a many of duplicates http://jira.grails.org/issues/?jql=project%20%3D%20GPSPRINGSECURITYUI%20AND%20text%20~%20%22encodePassword%22 UI plugin isn't work out of the box and every user will get this problem . I also got it The reason is that encodePassword is "true" by default. IMHO we need to reopen this as a bug. I see two solution: 1. Set encodePassword to "false" by default. 2. Remove the password encoding logic from a plugin. The Spring Security Core should take care about password encoding.

          People

          • Assignee:
            Burt Beckwith
            Reporter:
            Jeff Hall
          • Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: