I am wanting to validate a password in my own controller.
Is there any way I can sent the password to spring security UI and get a return if the password validates?
You are looking for:
springSecurityService.encodePassword
If you have configured your system with salt you will need that as well. Just encode the String, and read the encoded String from your user object, and compare the two
Docs:
http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/single.html#6.2%20SpringSecurityService
Related
I am trying to set up the following in Hashicorp Vault:
GitHub Actions authenticates to Vault using JWT auth method. Vault creates an Identity Token containing the repo name. Actions can then use this token to authenticate to a Snowflake database, where I've set up Vault as an External OAuth server. The repo name will be used as the username in snowflake.
Here's the role with my token template:
resource "vault_identity_oidc_role" "github_actions" {
namespace = vault_namespace.namespace.path
name = "github_actions"
client_id = "https://mine.eu-north-1.aws.snowflakecomputing.com"
key = vault_identity_oidc_key.key.name
template = <<EOF
{
"scp": "session:role:${var.snowflake_role}",
"username": {{identity.entity.aliases.${vault_jwt_auth_backend.github_actions.accessor}.name}}
}
EOF
}
Everything seems like it should work fine. I get a token, it's valid, and Snowflake accepts it. But it tells me the username is "wrong". Testing manually, I found that usernames containing special characters just aren't accepted by snowflake. And using the repository field from GitHub gives me a username like "repo-owner/repo-name" which contains slashes and dashes and whatnot.
I'm thinking that if I can just manipulate this value in the token (replace slashes with "SLASH" or something), I'll end up with a username that Snowflake will accept. Is this possible, and if so, how?
You can tackle this on the JWT auth method.
The GitHub OIDC documentation shows a sample token that includes the field repository_id, which is simply a number with no problematic characters, so my first thought would be to switch to leveraging that field when creating your aliases.
If that repository_id field is NOT globally unique, I would create a different JWT Auth Method per GitHub organization that you're supporting. That way, you don't need to have the organization referenced in the alias name to create a unique alias, and the GitHub organization is defined by the location of the auth method mount. (vault auth enable -path="github.com/org-name" jwt might be a reasonable path in this pattern.)
If that repository_id field IS globally unique, then you only need to switch to that field in the JWT role definition user_claim parameter and you're done.
Yes, this will make things less user-friendly and more arcane - in order to resolve the repository ID, you'll have to do a GitHub API call, which will make audit log review include additional steps - but I don't see any other point at which you have control over the strings in the auth flow.
I am facing issue while creating/updating password in grails 3.x.x Application. Whenever i try to enter any special case lets say "#" it encodes only this special character in password field.
Password value is coming from request body.
Example:
Real password : abc#555
Auto Encoded password : abc%40555
Grails by default uses a plugin that uses bcrypt algorithm to hash passwords for security.There are some configurable password hashing attributes. You can customize the password plugin with the grails.plugin.springsecurity.password.algorithm attribute.
This is in the view
<g:passwordField name="password" required="" value="${usuarioInstance?.password}"/>
This would be a part of the controller
pass = params.password.encodeAsSHA1()
This will be returned into the view again
${pass.password}
the ${pass.password} needs to change to text or decode the SHA1()
My advice:
don't use sha-1, it's insecure
don't unencrypt a password and display it in a form field. Make the user type it in if they want to change it, if they haven't entered anything then don't update that property
use spring security which by default manages all the headaches of web security and uses Bcrypt out of the box.
Security is something every dev needs to take seriously and if the client insists on unsecure practices then they need to be educated.
Edit: #zaph makes a good point below so I should add it - don't encrypt passwords. A password should never be able to be translated back into plain text. Always hash (and salt) them and compare the user input hash to the stored hash. If you choose not to use Spring Security, you can use Bcrypt standalone and use the static Bcrypt.checkpw(userInputPw, hashedPw) method to check it.
Final Edit: To avoid any confusion (since #zaph seems confused in the comments) my recommendation is to use Bcrypt - specifically, use Spring Security.
I used grails acl security. I wanted to change or edit password of a user after logging as an admin. But when i go to the edit mode, then the password field is showing the encrypted text that was saved before as encrypted string in user table. Is there any way to decrypt the string fetched from database and show in original string form in the password field?
I did not get any straight solution to do this in grails acl.
Any help would be appreciated.
There aren't very good reasons to display the cleartext password. As the user or an admin, if you want to change the password then you do it like any other property. Display the old value (either as * characters since it's a password or possibly the hashed value if you are an admin) and then you can enter a new password. This will get hashed and stored when you update.
As long as the cleartext password satisfies the validation requirements (minimum length, special chars, etc.) then the update should work fine.
Note that passwords are generally not encrypted (which implies that they can be decrypted) but hashed. Hash algorithms are lossy - given any input the hash is typically a fixed length output, so it cannot contain all of the original data and can't be used to retrieve the original value. For passwords this is fine. To authenticate, you don't de-hash the stored value and compare to the cleartext value from the login page - you hash the login page value and compare to the stored hash. With some algorithms they'll be the same, and others (e.g. bcrypt) they'll be different but equivalent, and the algorithm will have a way to check that they're equivalent.
No it is impossible to decrypt the password . It is bad idea to show password to user in edit mode. Its violet the security law. You can change a user's password but can not see it.
I haven't decrypted or d-hashed the password but added a new page to change password for a user. in workflow i did as follows:
1. while creating a user, new hashed password is created
2. while edit, all other desired information are allowed to edit except password (but password is showing in hashed dotted mode for security).
3. added a new link named 'change password' in the user list beside each user
4. finally in the newly created 'changePassword' page, i have assigned another new password with hash operation for the particular user
I'm trying to write a simple ASP.Net app that allows the users to log in with their username and password. I'm using an EF database in the .NET Framework 4, coding in C#. My problem is, when the user registers their details on the registration page, their password value does not save. That textfield is a password field.
How can I save the passwords actual value in the database, but keep the textfield as password? Would I need to encrypt it? I've never done encryption, so any help would be appreciated. Thanks
You should use some cryptographic algorithm to compute the hash for password string (see Hash string in c#). Then store it as byte array or encoded string (like hex or base64) in db.