Search code examples
grailsspring-security

Grails with Spring Security Plugin and Salted Passwords

I am trying to do salted password hashing in my Grails + Spring Security application. I have used the tutorials on the Grails site, and also ones I found randomly on the Internet.

At the moment, I have everything set up according to this tutorial. However I run into a problem when deploying the application with the following bean declaration in resources.groovy:

saltSource(cq.MySaltSource) {
    userPropertyToUse = CH.config.grails.plugins.springsecurity.dao.reflectionSaltSourceProperty
}

It complains that it cannot find CH.

After digging around, I found a post on nabble stating the following:

Also - don't use ConfigurationHolder (CH) since it's deprecated in 2.0. You can pass in a reference to the grailsApplication bean and get the config from there:

saltSource(MySaltSource) {
  grailsApplication = ref('grailsApplication')
}

and then in your class add

def grailsApplication

and get the property via

String userPropertyToUse  grailsApplication.config.grails.plugins.springsecurity.dao.reflectionSaltSourceProperty

The part that I do not follow is the last statement about "...and get the property via...". The line of code he gives there seems malformed to me.

If anyone can shed some light here, or provide a different approach to using salted passwords with Grails and Spring Security, I would appreciate it. Note that it needs to be unique salts per user, not system-wide or a single salt, or a salt derived from username.

Thanks

UPDATE

So I got it working with the first tutorial (forgot the import statement at the top of resources.groovy. But I would still like to use the second way (to stay compatible with the future version).

UPDATE 2

I have written a complete tutorial on this if anyone browsing here is interested:

Setting up a Grails web application using Spring Security and salted passwords.

Solution

  • In resources.groovy where you're defining the saltSource bean the GrailsApplication is available as the application variable, so you can change the bean declaration to

    saltSource(cq.MySaltSource) {
   userPropertyToUse = application.config.grails.plugins.springsecurity.dao.reflectionSaltSourceProperty
}