I found it very difficult to do password recovery, since I've never done it before.
So far I have web app which has:
Spring Security, where password is properly hashed and user roles implemented and work correctly.
The strategy hints research from stackoverflow:
The problem doesn't really have much to do with Spring Security. Provided you know the structure of the user database and the password encoder used, it's really just implementing a workflow involving data access, web controllers and sending an email. The link should contain a random token string (use
SecureRandom and a base64 encoder, for example) and it should be stored in a database with the userId and a timestamp (for validating the window within which the link is valid). The controller would simply extract the token from the incoming request, load the data from the database using the token. It would check the timestamp and then forward the user to a password entry form. Depending on requirements, you might also want them to answer some other security questions too. You'd then validate and encode the password and store it in the account matching the userId stored in the reset link table. It would also make sense to have a batch job running to remove expired links from the database.
The Grails Spring Security UI plugin already has a forgot password option which you can either use directly or use as a reference.