Using Spring Security together with MongoDB

Question

I wanted to use MongoDB in my Grails application and also Spring Security. I generated both User and Role classes with the s2-quickstart command. I added an id property to all my classes of type ObjectId as it says in many blog articles.

It does work, but one method bothers me a little:

    // SecUser.groovy (generated by s2-quickstart)
def beforeUpdate() {
    if (this.isDirty('password')) {
        encodePassword()
    }
}

The method isDirty() seems to be unavailable in a MongoDB environment. It works fine using Hibernate. This is a bug filed under http://jira.grails.org/browse/GPMONGODB-114

Is there any way to get around this method? As far as I understand, it checks if the password was modified and then encodes it again.

Wouldn't it be possible to do this manually? For example, if I have a User profile page which has the password field included, I just encode it again on save?

I'd really like to use both Spring Security and MongoDB together and I'm sure this method won't stop me. ;)

Answer 1

I see no reason why you can't create your own UserDetailsService which loads the hashed password from Mongo, then use a PasswordEncoder in your AuthenitcationManager. This will tell Spring to hash the password entered by the user before comparing it to the value you retrieved from mongo.

I can't comment on the Grails aspect but we are using Spring security and hashed passwords with Mongo. We actually have a custom password encoder that uses an iterative hash/salt so I'm sure what you want is possible :)