Im using SpringSecurity 2.0-RC2 and want users to be able to change their passwords while they are online.
My user class has the following
def beforeInsert() { encodePassword() } def beforeUpdate() { if (isDirty('password')) { encodePassword() } } protected void encodePassword() { password = springSecurityService.encodePassword(password) }
To check whether the user entered the correct current password, I did the following in the controller:
if (springSecurityService.encodePassword(params.currentPassword) == user.password) {
... but unexpectedly (for me) the check always fails. Even stranger if I do this:
println springSecurityService.encodePassword(params.currentPassword) println springSecurityService.encodePassword(params.currentPassword)
I get the following in the console
$ 2a $ 10 $ sWt7mUSHPFT.Np6m.gXyl.h8tWqblJbwtzQ6EQeMHxXMoGwOffC3e $ 2a $ 10 $ lwHz1SkNlW8ibznt.mOiruAg5eG / BTtsjM7ChyYVBvammcr
(there seemed to be salt - but I didn’t set it myself)
My settings are more or less the default settings; except the package names of the three domain classes.
Since the documentation has been declining ever since the harsh days I ask here, does anyone have an idea what I'm doing wrong ...
source share