I'm trying to migrate old Grails app from AppFog to Linode servers. I migrated code and MYSQL database, but I couldn't log in with old credentials.
For some reason, I suspected that I forgot password so I simply deleted my user directly from the database and let Bootstrap.groovy creates a new one with known password so I managed to log in again.
Next day, when I tried to log in again, I received wrong credentials message so I looked at the database and verified that hashed password is still the same. I repeat delete user and Bootstrap procedure and noticed that password hash is different than the previous one for the same password.
Again, I managed to log in through GUI and even (via GUI) update password for other users (user from Bootstrap.groovy have admin role). I verified that all password hashes were updated in databases and I verified each account login via GUI, everything was fine.
This morning, when I tried to log into the application I was rejected again on several accounts that I verified last night.
The only thing that I noticed that is different is the format of hashed password: previously it was a sequence of chars and numbers but now it always starts with $2a$ and containing special characters.
I noticed few forums and SO post mentioning that using spring-security-gui could cause double hashing of passwords but I'm not using that plugin.
Here is the list of (relevant) plugins that I'm using:
tomcat:7.0.52.1
hibernate:3.6.10.9
database-migration:1.3.8"
spring-security-core:2.0-RC4"
I just noticed that the old version of app was using spring-security-core:1.2.7.3 and latest one is using 2.0-RC4 (I updated some out-dated plugins before migration)
UPDATE:
Unfortunatelly, problem is still active. I bootstraped user and verify that password is hashed in 'sha format'. I can log in with that user and change passwords of other users. I verified that all passwords are sha hashed in database. I can log with each user that I resetted password including bootstraped one. After one day (aproximately) I can not log again with previously used credentails on any user. I checked database and password hashes are same as before. Nothing in tomcat, mysql or syslog logs. Same application was running on AppFog for more that one year without restart and no problems were noticed. I'm not 100% sure what spring security plugin version was used at AppFog site (legacy maintenance) but, only thing that is changed is version of that plugin (if it wasnt used before). There are no background jobs that can trigger this behavior (e.g. user.save() calls) so I don't have a clue what could go wrong or what else I need to set.
Set the following two properties in your Config.groovy
grails.plugin.springsecurity.password.algorithm = "SHA-256"
grails.plugin.springsecurity.password.hash.iterations = 1
That will also allow you to log in with the old password. Spring Security 1.x uses the SHA-256 but the new Spring Security 2.x uses now bcrypt algorithms.
http://grails-plugins.github.io/grails-spring-security-core/v2/guide/newInV2.html
Related
This question is for a production Grails app using Spring Security configured with BCrypt.
To keep up with increasing server CPU speed, I would like to up the value of the grails.plugin.springsecurity.password.bcrypt.logrounds property so that password hashing takes longer and is less susceptible to attack.
At first thought, I figured this was a daunting task requiring a trickle approach as users logged in or massive re-encoding and custom login handlers, but it appears to work without any other change when trying it locally between runs (with a persistent database, simulating a non-local deploy).
I'm guessing this is because the logrounds is stored on the password hash: when going from 10 to 20 between runs locally, for example, the passwords look as follows
$2a$10$i/PEPcvSj... <-- account created when logrounds was set to 10
'$2a$20$3GGujw6o... <-- account created when logrounds was set to 20
I have tested:
Old accounts created before the change can still log in.
Old accounts can change their password, and the new hashes use the new logrounds setting
New accounts can be created and logged in as expected
Trying to log in with an account that does not exist takes the expected new delay.
Is there any reason not to proceed with the change? The high degree of caution here is because a mistake that prevents production login in any way would be extremely costly
Everything worked as expected, so the answer is that yes, you can. You can change the logrounds without impact to existing accounts as the logrounds used to produce the hash is built into the hash. Nice feature of BCrypt
I am trying to implement BCrypt password encryption using Spring Security. For some reason the password validation is failing for what should be a valid password. The password was created in the same app, and passes the authentication check when I hard code it in a unit test. But, for some reason when it is running on the server it fails. I have checked that it's using the same JRE, the same number of iterations (stored in the hash). I tried reducing it to the bare minimum of code to figure out what's wrong. I am stuck at the point where this statement:
BCrypt.checkpw("password123", "$2a$10$kyRMcxNqagw.ny369X4AsumV4cvHt4Usfvm.rGNDRnxP2SLKioFhu")
returns true when run in a unit test, but fails when run in my PasswordEncoder live on the server. Any ideas on why this is failing?
I figured out my mistake. At one point our code was converting passwords to uppercase. I removed it some places, but missed one. So comparing all caps password to mixed case password failed (as one would expect it should).
Stack:
Devise 3.1.1
Rails 4.0.5
Omniauth 1.2.2
I started running into this issue where users can reset their passwords (via email), but the changed password never gets saved. Basically the only way they can login is through password reset.
I'm not necessarily looking for a solution, but can anyone recommend how to DEBUG what is going on? Ideally I'd like to follow the password reset path within Devise so I can verify the new password is getting saved, but I don't know where to start looking or where to put "puts" statements.
Also, it only happens on SOME accounts, which is even weirder.
Turns out a bug on my part. I was improperly overriding find_first_by_auth_conditions
I have a rails 4 app where I am using devise for authentication and it works perfectly. My only problem is that it loses the session of a user after I deploy it on the server and the users have to sign in again.
If I just do a restart of nginx/passenger (which I am using for my app) it doesn't loses it.
When I am deploying my app I am losing it. For deploying I am also wipe out all the database automatically and my deployment script runs the seeds file which it also generates the users.
We are currently developing the app so this kind of behavior is acceptable for now, but in the
future when the app will be ready, we won't do it like this way (of course!).
So is this an issue due to the reseeding or I should check something else? I see that the encrypted password changes everytime I run the wipe out/seed action, does this have to do with the losing of user session?
You should never wipe out a database during deployment. Imagine that your app is running and you have hundreds of users. Now you make some changes in the code and do a deploy. POOF all your data and users are gone! Certainly this is not what you want.
Secondly, users getting logged out when you wipe out the database could be due one of the following reasons:
Are you seeding users with the same ID? If the user ID changes when you re-seed, it will cause users to be logged out
Are you storing sessions in the database using config.session_store :active_record_store instead of using cookies? In this case, wiping out the database will delete the sessions table and log out all users
Rails 4 uses an encrypted cookie store by default. Make you sure you're not changing your application's config.secret_token when re-deploying, in case its getting loaded from the database
Ultimately, wiping out the database is the sole reason why your users are getting logged out, and that is a bad practice. So the most important thing to fix is do not wipe data during deployments.
The reason for this behavior is the following:
Everytime some user changes his password, devise automatically signs_out him.
So, basically by reseeding the data, the password is recalculated (even though the password is the same, the new encrypted password is different from the old one). So the devise will automatically sign_out the user, because it seems like the password is changed (based on the different encrypted_password field).
I managed to bypass this behavior, by specifically setting up the encrypted_password in the seeds.rb file and bypassing the validation.
If I just do a restart of nginx/passenger (which I am using for my
app) it doesn't loses it. When I am deploying my app I am losing it.
For deploying I am also wipe out all the database automatically and my
deployment script runs the seeds file which it also generates the
users.
If you generate new users, the old ones will lose their sessions.
This is because the values of the new users will be different. For example, they might not have a remember token set, or if the session_id uses the values of user.created_at or user.token_generated_at they will be different every time you drop and recreate your database.
I've got an app built using asp.net mvc and deployed over 2 Amazon EC2 instances. I'm using forms authentication to authenticate users. I simply make a quick look up on the given username and password and if I found a match I set an authentication cookie, like so:
if(_repository.Login(username, password))
FormsAuthentication.SetAuthCookie(username, false);
This works fine as long as the application on one machine, but, once I leveraged Amazon Elastic Load Balancing to deploy the site on two machines, the site behaves in a very weird way. When a user logs in, the site recognizes a logged in user, after a refresh or two, the site no longer see the user as a logged in user. If the user keeps refreshing again for some time, the app sees the user as a logged in user again, and this goes forever.
I'm aware that such a problem might occur if I'm storing SessionState inproc. I'm not using SessionState at all.
What am I missing here guys?
Ps: I've edited the session state to be stored on a state server [Though i'm not using neither sessions nor TempData anywhere on my app] and the same weird behavior is there.
You need to synchronize your <machinekey> between all servers in your farm. Otherwise the forms authentication ticket is only good for the machine which issued it. I doubt this has anything to do with Session/TempData.