I am using Grails 2.3.2 and am trying to upgrade my Spring Security Core Plugin from 1.2.7.3 to 2.0.
I made all the import changes and got my app to start, but I was unable to login. One of the changes in 2.0 is that it uses the bcrypt algorithm for passwords, making all my old passwords useless. So, I went through the password reset process in my app and sure enough after that I could log in just fine.
But, I want to keep my old passwords for all my users, so I went and found the documentation for the 1.2.7.3 version of the plugin and looked up what algorithm it used: http://grails-plugins.github.io/grails-spring-security-core/docs/manual.1273/guide/12%20Password%20and%20Account%20Protection.html
According to these docs its default is SHA-256. So, I added that config change, yet I still cannot log in.
So, how can I migrate all my user's passwords to the 2.0 version of the plugin? As of right now it doesn't seem possible...
There's another change - the number of hash iterations. In 1.2.x the password was hashed once but in 2.0 it's hashed 10,000 times for password stretching - see http://grails-plugins.github.io/grails-spring-security-core/2.0.x/guide/passwords.html#hashing
Add this to revert to the old behavior:
grails.plugin.springsecurity.password.algorithm = 'SHA-256'
grails.plugin.springsecurity.password.hash.iterations = 1