[PR] Document springSecurityService null during BootStrap password encoding [grails-spring-security]

Tue, 17 Feb 2026 08:14:46 -0800 


jamesfredley opened a new pull request, #1207:
URL: https://github.com/apache/grails-spring-security/pull/1207

   ## Summary
   
   Documents a common pitfall where `springSecurityService` is `null` on 
freshly constructed User domain instances in `BootStrap.groovy`, causing 
passwords to be stored in plaintext when using the older `beforeInsert()` 
encoding pattern.
   
   ## Problem
   
   When using the older User domain class pattern (with `springSecurityService` 
as a `transient` field and password encoding in `beforeInsert()`), creating 
users in `BootStrap.groovy` silently fails to encode passwords:
   
   ```groovy
   // In BootStrap.groovy - password will NOT be encoded
   def testUser = new User(username: 'me', password: 'password').save()
   ```
   
   Domain class instances created with `new` are plain Groovy objects - their 
transient service references are not autowired by Spring. The 
`springSecurityService` field is `null`, and the safe-navigation operator 
(`?.`) in `encodePassword()` silently skips encoding, storing the plaintext 
password.
   
   This does not affect the newer `UserPasswordEncoderListener` pattern 
(generated since Spring Core 3.1.2), which uses a Spring-managed bean with 
`@Autowired` and handles encoding correctly via GORM persistence events.
   
   ## Changes
   
   **`usingControllerAnnotations.adoc`** (tutorial):
   - Added WARNING after the older User domain class pattern explaining that 
`springSecurityService` will be null in BootStrap
   - Added new `bootstrapPasswordEncoding` section with:
     - Explanation of why transient services are null on new instances
     - Complete BootStrap example showing `PasswordEncoder` injection and 
pre-encoding
     - TIP about double-encoding risk and recommendation to use the 
`UserPasswordEncoderListener` pattern
   
   **`gormAutowire.adoc`** (domain classes):
   - Expanded the existing autowiring warning with concrete guidance about 
freshly constructed instances vs GORM-loaded instances
   - Added cross-reference to the new `bootstrapPasswordEncoding` section


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to