RE: SpringSecurityOAuthController.groovy.template findByUsernameAndPassword

[santoshd]

Am a fellow-developer, recently started with grails. I wanted to run a possible defect by you to get your opinion. I hope that's ok and thank you in advance for your attention and efforts.

In SpringSecurityOAuthController.groovy, there's a call to ${userClassName}.findBy${usernameCapPropertyName}And${passwordCapPropertyName} that essentially checks if the username, password combination is valid (line # 113 https://github.com/cazacugmihai/grails-spring-security-oauth/blob/master/src/templates/SpringSecurityOAuthController.groovy.template).

For bcrypt as no two hashes are alike, by definition - this wouldn't work out of the box.

I'm guessing this is one way to fix,

• Directly call isPasswordValid in the SpringSecurityOAuthController assuming it will work even if there are any changes in the underlying authentication mechanism.
• Or, find another way (perhaps another Spring Security template) to allow the call to passwordEncoder.isPasswordValid (javadoc: http://docs.spring.io/spring-security/site/docs/3.1.6.RELEASE/apidocs/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html) in the controller.
• In this case, I'll still need to change the plugin to call the domain class with the rawPassword (not encoded as clarified in the javadoc above).

Can this be useful to you as well? Would be great to hear from you on this one.

Best regards, Santosh Dawara.

[enr]

Hi @santoshd,

I think this repo is not maintained anymore.

Last versions of the plugin have been released from https://github.com/enr/grails-spring-security-oauth . If you have any improvement I'll be happy to apply your PRs; please note that in the master branch, the template has been removed and now the controller is a proper Grails artefact.

This refactored version has not been released yet.

If you prefer to continue to use templates you can start development from tag v2.0.2

Cheers, Enrico