55

I just added a registration functionality to my new grails project. For testing it, I registered by giving an email and a password. I am using bcrypt algorithm for hashing the password before saving it to the database.

However when I try to login with the same email and password that I gave while registering, login fails. I debugged the application and found out that the hash that is generated for the same password is different when I try to compare with the already hashed one from database and hence the login is failing (Registration.findByEmailAndPassword(params.email,hashPassd) in LoginController.groovy returns null).

Here's my domain class Registration.groovy:

class Registration {

   transient springSecurityService

   String fullName
   String password
   String email

   static constraints = {
      fullName(blank:false)
      password(blank:false, password:true)
      email(blank:false, email:true, unique:true)
   }

   def beforeInsert = {
      encodePassword()
   }

   protected void encodePassword() {
      password = springSecurityService.encodePassword(password)
   }
}

Here's my LoginController.groovy:

class LoginController {

   /**
    * Dependency injection for the springSecurityService.
    */
   def springSecurityService

   def index = {
      if (springSecurityService.isLoggedIn()) {
         render(view: "../homepage")
      }
      else {
         render(view: "../index")
      }
   }

   /**
    * Show the login page.
    */
   def handleLogin = {

      if (springSecurityService.isLoggedIn()) {
         render(view: "../homepage")
         return
      }

      def hashPassd = springSecurityService.encodePassword(params.password)
      // Find the username
      def user = Registration.findByEmailAndPassword(params.email,hashPassd)
      if (!user) {
         flash.message = "User not found for email: ${params.email}"
         render(view: "../index")
         return
      } else {
         session.user = user
         render(view: "../homepage")
      }
   }
}

Here's a snippet from my Config.groovy telling grails to use bcrypt algorithm to hash passwords and the number of rounds of keying:

grails.plugins.springsecurity.password.algorithm = 'bcrypt'
grails.plugins.springsecurity.password.bcrypt.logrounds = 16
Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156
adit
  • 553
  • 1
  • 4
  • 5

2 Answers2

45

Jan is correct - bcrypt by design doesn't generate the same hash for each input string. But there's a way to check that a hashed password is valid, and it's incorporated into the associated password encoder. So add a dependency injection for the passwordEncoder bean in your controller (def passwordEncoder) and change the lookup to

def handleLogin = {

   if (springSecurityService.isLoggedIn()) {
      render(view: "../homepage")
      return
   }

   def user = Registration.findByEmail(params.email)
   if (user && !passwordEncoder.isPasswordValid(user.password, params.password, null)) {
      user = null
   }

   if (!user) {
      flash.message = "User not found for email: ${params.email}"
      render(view: "../index")
      return
   }

   session.user = user
   render(view: "../homepage")
}

Note that you don't encode the password for the isPasswordValid call - pass in the cleartext submitted password.

Also - completely unrelated - it's a bad idea to store the user in the session. The auth principal is readily available and stores the user id to make it easy to reload the user as needed (e.g. User.get(springSecurityService.principal.id). Storing disconnected potentially large Hibernate objects works great in dev mode when you're the only user of your server, but can be a significant waste of memory and forces you to work around the objects being disconnected (e.g. having to use merge, etc.).

Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156
  • Thanks Burt. It worked. And really thanks for the suggestion regarding storing a user in the session. I am new to grails and am using it to develop a social networking site. I would be really grateful if you can give suggestions on best practices etc. or anything that helps....may be a link to a post on your blog (an army of solipsists.....i love it) – adit Dec 12 '11 at 08:56
30

A BCrypt hash includes salt and as a result this algorithm returns different hashes for the same input. Allow me to demonstrate it in Ruby.

> require 'bcrypt'
> p = BCrypt::Password.create "foobar"
=> "$2a$10$DopJPvHidYqWVKq.Sdcy5eTF82MvG1btPO.81NUtb/4XjiZa7ctQS"
> r = BCrypt::Password.create "foobar"
=> "$2a$10$FTHN0Dechb/IiQuyeEwxaOCSdBss1KcC5fBKDKsj85adOYTLOPQf6"
> p == "foobar"
=> true
> r == "foobar"
=> true

Consequently, BCrypt cannot be used for finding users in the way presented in your example. An alternative unambiguous field should be used instead, e.g. user's name or e-mail address.

Community
  • 1
  • 1
Jan
  • 11,636
  • 38
  • 47