My advice is to debug your application to check if the password encoding at login time is the same as the one you provided at creation time.
Put a break point in the method that retrieves the user from DB, have a look the stack in eclipse debug mode, identifiy the Authentication Spring Filter, go into this stackframe and debug step by step to see what's happening after user retrieval. Note that we use spring-security (w/o tapestry-spring-security) at http://github.com/robink/wooki 2010/6/10 Daniel Henze <dhe...@googlemail.com> > The way I encode the password is using the following create method in > UserServiceImpl: > ... > public UserServiceImpl(PasswordEncoder encoder, SaltSource salt, UserDAO > userDao, Logger logger, IRoleService roleService) { > this.encoder = encoder; > this.salt = salt; > this.userDao = userDao; > this.logger = logger; > this.roleService = roleService; > } > ... > public long createUser(User user) { > String clearTextPassword = user.getPassword(); > user.setPassword( encoder.encodePassword(clearTextPassword, > salt.getSalt(user))); > user.addRole(roleService.findByAuthority("USER_ROLE")); > this.save(user); > return user.getId(); > } > > The password is stored as VARCHAR in the DB. I had suspected that as well, > but since encoder is configured in appmodule and salt and encoder both > injected, I assumed this should be fine. Do I have to implement > SaltSourceService myself? > > Am 10.06.2010 10:39, schrieb Christophe Cordenier: > > Have you checked that the encoder used by Spring filter is the same you >> use >> to encode it in your DB ? >> >> Password Encoding is made of a salt and an algorithm. >> >> >> 2010/6/10 Daniel Henze<dhe...@googlemail.com> >> >> >> >>> Thanks for your reply. >>> >>> Yes, I did check that. And it's ok, lovely long and encrypted passwords. >>> >>> Daniel >>> >>> Am 10.06.2010 09:51, schrieb Christophe Cordenier: >>> >>> Hi >>> >>> >>>> I guess you already did it but have you checked if the password is >>>> stored >>>> in >>>> SHA1 ? >>>> >>>> 2010/6/10 Daniel Henze<dhe...@googlemail.com> >>>> >>>> >>>> >>>> >>>> >>>>> Hi there, >>>>> >>>>> I installed Tapestry-Spring-Security and followed the installation and >>>>> configuration advise. But I have no luck as the login does not work for >>>>> me >>>>> and always returns "Username and/or password was wrong!". There was a >>>>> recent >>>>> post about the "Bad credentials" and it was the wrong SaltService at >>>>> the >>>>> end, but I doubt that is the reason here as I'm following standard >>>>> installation. >>>>> >>>>> I tried different approaches (the IUserService extending the >>>>> UserDetailsService and all methods implemented in UserServiceImpl) to >>>>> not >>>>> setting the Password encoder and even switching from MySQL to HSQLDB >>>>> and >>>>> back. It's probably just a glitch, but I'd appreciate if someone could >>>>> enlighten me. >>>>> >>>>> Cheers >>>>> Daniel >>>>> >>>>> ----------- >>>>> >>>>> My Setup: >>>>> >>>>> class: User implements UserDetails >>>>> >>>>> service: UserDetailsServiceImpl implements UserDetailsService >>>>> public UserDetails loadUserByUsername(String username) throws >>>>> UsernameNotFoundException, DataAccessException { >>>>> User u = userDao.findByUsername(username); >>>>> if (u != null) { >>>>> return u; >>>>> } >>>>> return null; >>>>> } >>>>> >>>>> service: UserServiceImpl implements IUserService (Domain specific >>>>> methods, >>>>> e.g. User creation) >>>>> >>>>> DAO: UserDAOHibernate >>>>> public User findByUsername(String username) { >>>>> return (User) session.createCriteria(User.class) >>>>> .add(Restrictions.eq("username", username)) >>>>> .uniqueResult(); >>>>> } >>>>> >>>>> page: LoginPage and it's template >>>>> >>>>> AppModule: >>>>> public static void bind(ServiceBinder binder) { >>>>> ... >>>>> binder.bind(IUserService.class, UserServiceImpl.class); >>>>> } >>>>> >>>>> public static void contributeApplicationDefaults( >>>>> MappedConfiguration<String, String> configuration) { >>>>> ... >>>>> configuration.add("spring-security.failure.url", >>>>> "/loginpage/failed"); >>>>> configuration.add("spring-security.accessDenied.url", >>>>> "/forbidden"); >>>>> ... >>>>> } >>>>> >>>>> public static UserDetailsService buildUserDetailsService( >>>>> @Inject UserDAO userDao) { >>>>> System.out.println("Building UserDetailService"); >>>>> return new UserDetailsServiceImpl(userDao); >>>>> } >>>>> >>>>> public static void contributeAlias( >>>>> Configuration<AliasContribution<PasswordEncoder>> >>>>> configuration) { >>>>> >>>>> configuration.add(AliasContribution.create( >>>>> PasswordEncoder.class, >>>>> new ShaPasswordEncoder())); >>>>> } >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> >>> >> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- Regards, Christophe Cordenier. Developer of wooki @wookicentral.com
