Guide to implementing spring security password recovery with dynamic URL sent to email

Aubergine picture Aubergine · Jun 20, 2013 · Viewed 19.6k times · Source

I found it very difficult to do password recovery, since I've never done it before.

So far I have web app which has:

Spring Security, where password is properly hashed and user roles implemented and work correctly.

The strategy hints research from stackoverflow:

  1. User hits forgot-password button, where he enters his email address.
  2. Dynamic link is sent to email address
  3. User opens link in email address
  4. Which redirects him to password reset page

What is not known:

  • How to give link dynamic nature - methods of generations
  • Link has a timeout - some questions were found here, but often involve custom handler or extension to spring security functionality
  • A request mapping methods to respond to such dynamic link
  • Temporary link storage methods - database, session etc. ?

As you can see the list is quite severe for a single question. So was hoping you might be able to provide guide resources to how to do it step by step. I was a little surprised I could not find much on this in Spring Security documentation. Thanks.

I am student so don't know really industry best practices for doing so especially in the context of Java, so I really hope anyone will be able to help.

Answer

Shaun the Sheep picture Shaun the Sheep · Jun 21, 2013

The problem doesn't really have much to do with Spring Security. Provided you know the structure of the user database and the password encoder used, it's really just implementing a workflow involving data access, web controllers and sending an email. The link should contain a random token string (use SecureRandom and a base64 encoder, for example) and it should be stored in a database with the userId and a timestamp (for validating the window within which the link is valid). The controller would simply extract the token from the incoming request, load the data from the database using the token. It would check the timestamp and then forward the user to a password entry form. Depending on requirements, you might also want them to answer some other security questions too. You'd then validate and encode the password and store it in the account matching the userId stored in the reset link table. It would also make sense to have a batch job running to remove expired links from the database.

The Grails Spring Security UI plugin already has a forgot password option which you can either use directly or use as a reference.