update current user password in spring security core plugin

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

update current user password in spring security core plugin

chichibek bros
hi again group, i am implementing a simple update current logged user password, in order to do it, i created a simple form asking for current password and check if this password is equal to current user password.

def currentUser = springSecurityService.currentUser
def password = springSecurityService.encodePassword(params.password)

if currentUser.password == password then do something

here is my problem currentUser.password is not equal to password

any idea, which is the right way to get this job done?

thanks for your time
Reply | Threaded
Open this post in threaded view
|

Re: update current user password in spring security core plugin

Steve Hummingbird
Hi, 

I use the passwordEncoder to do that:


def passwordEncoder

def update(UserCommand userCommand) {
def user = ...
if (!passwordEncoder.isPasswordValid(user.pass, userCommand.password_old, null)) {
// password is incorrect
}
}

You probably need to change that, depending if you are using salt or not.

Cheers,
Steve

On 20 Mar 2014, at 21:44, chichibek bros <[hidden email]> wrote:

hi again group, i am implementing a simple update current logged user password, in order to do it, i created a simple form asking for current password and check if this password is equal to current user password.

def currentUser = springSecurityService.currentUser
def password = springSecurityService.encodePassword(params.password)

if currentUser.password == password then do something

here is my problem currentUser.password is not equal to password

any idea, which is the right way to get this job done?

thanks for your time

Reply | Threaded
Open this post in threaded view
|

Re: update current user password in spring security core plugin

burtbeckwith
In reply to this post by chichibek bros
If you ask for the current password, only do this as an extra check - only allow the user to change their password if they're already logged in.

Unless you want to enforce some sort of rule where you don't allow password reuse, and I don't know of a good way to do this since it requires storing cleartext or decryptable old passwords somewhere, there's no need to compare the current password to the new one. Actually I suppose there's not much risk in saving old password. Regardless, make the user type it twice to be sure that there's no typo, set the password on the user instance, and save it. If it's the same, it's a no-op. If it's new, it will be updated.

If you're using bcrypt (or a similar approach) then two hashes of the same password will not be the same. The password encoder has logic to check that they're valid/equivalent however. The encoder interface has a method to hash a password

   String encode(CharSequence rawPassword);

but is required to also implement a verification method in case equality isn't enough:

   boolean matches(CharSequence rawPassword, String encodedPassword);

Burt

chichibek bros wrote
hi again group, i am implementing a simple update current logged user
password, in order to do it, i created a simple form asking for current
password and check if this password is equal to current user password.

def currentUser = springSecurityService.currentUser
def password = springSecurityService.encodePassword(params.password)

if currentUser.password == password then do something

here is my problem currentUser.password is not equal to password

any idea, which is the right way to get this job done?

thanks for your time
Reply | Threaded
Open this post in threaded view
|

Re: update current user password in spring security core plugin

Steve Hummingbird
To me there is one use case where this matters: A user forgets to log out and leaves the computer (probably even in an internet cafe). If another user notices that the previous user still is logged in, he easily can hijack that account. Asking for the current password prevents that to some extent.

-Steve

On 20 Mar 2014, at 22:02, burtbeckwith <[hidden email]> wrote:

> If you ask for the current password, only do this as an extra check - only
> allow the user to change their password if they're already logged in.
>
> Unless you want to enforce some sort of rule where you don't allow password
> reuse, and I don't know of a good way to do this since it requires storing
> cleartext or decryptable old passwords somewhere, there's no need to compare
> the current password to the new one. Actually I suppose there's not much
> risk in saving old password. Regardless, make the user type it twice to be
> sure that there's no typo, set the password on the user instance, and save
> it. If it's the same, it's a no-op. If it's new, it will be updated.
>
> If you're using bcrypt (or a similar approach) then two hashes of the same
> password will not be the same. The password encoder has logic to check that
> they're valid/equivalent however. The encoder interface has a method to hash
> a password
>
>   String encode(CharSequence rawPassword);
>
> but is required to also implement a verification method in case equality
> isn't enough:
>
>   boolean matches(CharSequence rawPassword, String encodedPassword);
>
> Burt
>
>
> chichibek bros wrote
>> hi again group, i am implementing a simple update current logged user
>> password, in order to do it, i created a simple form asking for current
>> password and check if this password is equal to current user password.
>>
>> def currentUser = springSecurityService.currentUser
>> def password = springSecurityService.encodePassword(params.password)
>>
>> if currentUser.password == password then do something
>>
>> here is my problem currentUser.password is not equal to password
>>
>> any idea, which is the right way to get this job done?
>>
>> thanks for your time
>
>
>
>
>
> --
> View this message in context: http://grails.1312388.n4.nabble.com/update-current-user-password-in-spring-security-core-plugin-tp4655284p4655287.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: update current user password in spring security core plugin

chichibek bros
thats is the scenario im trying to prevent


2014-03-20 15:11 GMT-06:00 Steve Hummingbird <[hidden email]>:
To me there is one use case where this matters: A user forgets to log out and leaves the computer (probably even in an internet cafe). If another user notices that the previous user still is logged in, he easily can hijack that account. Asking for the current password prevents that to some extent.

-Steve

On 20 Mar 2014, at 22:02, burtbeckwith <[hidden email]> wrote:

> If you ask for the current password, only do this as an extra check - only
> allow the user to change their password if they're already logged in.
>
> Unless you want to enforce some sort of rule where you don't allow password
> reuse, and I don't know of a good way to do this since it requires storing
> cleartext or decryptable old passwords somewhere, there's no need to compare
> the current password to the new one. Actually I suppose there's not much
> risk in saving old password. Regardless, make the user type it twice to be
> sure that there's no typo, set the password on the user instance, and save
> it. If it's the same, it's a no-op. If it's new, it will be updated.
>
> If you're using bcrypt (or a similar approach) then two hashes of the same
> password will not be the same. The password encoder has logic to check that
> they're valid/equivalent however. The encoder interface has a method to hash
> a password
>
>   String encode(CharSequence rawPassword);
>
> but is required to also implement a verification method in case equality
> isn't enough:
>
>   boolean matches(CharSequence rawPassword, String encodedPassword);
>
> Burt
>
>
> chichibek bros wrote
>> hi again group, i am implementing a simple update current logged user
>> password, in order to do it, i created a simple form asking for current
>> password and check if this password is equal to current user password.
>>
>> def currentUser = springSecurityService.currentUser
>> def password = springSecurityService.encodePassword(params.password)
>>
>> if currentUser.password == password then do something
>>
>> here is my problem currentUser.password is not equal to password
>>
>> any idea, which is the right way to get this job done?
>>
>> thanks for your time
>
>
>
>
>
> --
> View this message in context: http://grails.1312388.n4.nabble.com/update-current-user-password-in-spring-security-core-plugin-tp4655284p4655287.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: update current user password in spring security core plugin

chichibek bros
im trying Steve Hummingbird solution and is working pretty well, is this solution in the documentation?


2014-03-20 15:12 GMT-06:00 chichibek bros <[hidden email]>:
thats is the scenario im trying to prevent


2014-03-20 15:11 GMT-06:00 Steve Hummingbird <[hidden email]>:

To me there is one use case where this matters: A user forgets to log out and leaves the computer (probably even in an internet cafe). If another user notices that the previous user still is logged in, he easily can hijack that account. Asking for the current password prevents that to some extent.

-Steve

On 20 Mar 2014, at 22:02, burtbeckwith <[hidden email]> wrote:

> If you ask for the current password, only do this as an extra check - only
> allow the user to change their password if they're already logged in.
>
> Unless you want to enforce some sort of rule where you don't allow password
> reuse, and I don't know of a good way to do this since it requires storing
> cleartext or decryptable old passwords somewhere, there's no need to compare
> the current password to the new one. Actually I suppose there's not much
> risk in saving old password. Regardless, make the user type it twice to be
> sure that there's no typo, set the password on the user instance, and save
> it. If it's the same, it's a no-op. If it's new, it will be updated.
>
> If you're using bcrypt (or a similar approach) then two hashes of the same
> password will not be the same. The password encoder has logic to check that
> they're valid/equivalent however. The encoder interface has a method to hash
> a password
>
>   String encode(CharSequence rawPassword);
>
> but is required to also implement a verification method in case equality
> isn't enough:
>
>   boolean matches(CharSequence rawPassword, String encodedPassword);
>
> Burt
>
>
> chichibek bros wrote
>> hi again group, i am implementing a simple update current logged user
>> password, in order to do it, i created a simple form asking for current
>> password and check if this password is equal to current user password.
>>
>> def currentUser = springSecurityService.currentUser
>> def password = springSecurityService.encodePassword(params.password)
>>
>> if currentUser.password == password then do something
>>
>> here is my problem currentUser.password is not equal to password
>>
>> any idea, which is the right way to get this job done?
>>
>> thanks for your time
>
>
>
>
>
> --
> View this message in context: http://grails.1312388.n4.nabble.com/update-current-user-password-in-spring-security-core-plugin-tp4655284p4655287.html
> Sent from the Grails - user mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email