Im using SpringSecurity 2.0-RC2 and want users to give the possibilty to change their passwords while they are online.
My User domain class has the following
def beforeInsert() {
encodePassword()
}
def beforeUpdate() {
if (isDirty('password')) {
encodePassword()
}
}
protected void encodePassword() {
password = springSecurityService.encodePassword(password)
}
To check whether the user was enterering the correct current password i was doing the following in a controller:
if (springSecurityService.encodePassword(params.currentPassword) == user.password) {
... but surprsingly (for me) the check always fails. Even more strange if im doing this:
println springSecurityService.encodePassword(params.currentPassword)
println springSecurityService.encodePassword(params.currentPassword)
i receive the following in the console
$2a$10$sWt7mUSHPFT.Np6m.gXyl.h8tWqblJbwtzQ6EQeMHxXMoGwOffC3e $2a$10$lwHz1SkNlW8ibznt.mOiruAg5eG/BTtsjM7ChyYVBvamRcrL8tucm
(like there would be a salt - but i didnt configure one myself)
My Settings are more or less the default settings; except the package names of the three domain classes.
As the documention is down since severely days im asking here if somebody has a idea what im doing wrong...
Try this
def passwordEncoder
...
passwordEncoder.isPasswordValid(user.password, params.currentPassword, null)
See this post for more detail.