Announcement Announcement Module
Collapse
No announcement yet.
openId4java 0.9.5 + spring 3.0.x ? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • openId4java 0.9.5 + spring 3.0.x ?

    It really seems like openId4java 0.9.5 is broken, hence there is no way to succeed with openid + spring 3.0.x

    I've been round + round with this, definitely get the YadisException 0x704 error, and it always fails on the return to the spring app.

    I'm confused, and all the examples using openid-login are worthless in this case. The best bet is this blog:

    http://technowobble.blogspot.com/201...ys-openid.html

    Only thing is, I can't get 0.9.6-SNAPSHOT (trunk) to compile and I don't want to build up their project (openid4java) locally as its really messy.

    Can someone point me to a build of 0.9.6-SNAPSHOT for openid4java?

    If anyone can make this stuff work I'd like that as well

  • #2
    spring-security 3.0.x

    that's spring-security 3.0.x

    Comment


    • #3
      I'm not sure that I have enough information to be of any help. I am guessing from the blog post you mentioned that you may be trying to run on GAE? Can you try and clarify what you are trying to do, what you expect to happen, and what is actually happening? Including spring config and custom classes would also be helpful.

      PS: Have you looked at the openid sample application? It is not specifically mentioned in the reference, but you can obtain it from git using:

      Code:
      git clone git://git.springsource.org/spring-security/spring-security.git -b 3.0.x
      HTH,

      Comment


      • #4
        @j0h5, Spr Sec 3 definitely works with openid4java 0.9.5.

        What specific error are you seeing, and which OpenID Provider are you trying to access?

        Comment


        • #5
          SSL handshake in YadisResolver

          First issue: if you use the openid-login tag and try to add attributes it will fail with ClassCastException (and all the docs point that this is proper so that's no good):

          This fails for me.

          Code:
            <openid-login>
              <attribute-exchange>
                <openid-attribute name="email" type="http://axschema.org/contact/email" required="true" />
                <openid-attribute name="name" type="http://axschema.org/namePerson" />
              </attribute-exchange>
            </openid-login>
          Which is why I now do the following, with a bonus that I could swap out the httpclient if needed:

          Code:
          <beans xmlns="http://www.springframework.org/schema/beans"
            xmlns:security="http://www.springframework.org/schema/security"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                    http://www.springframework.org/schema/security
                    http://www.springframework.org/schema/security/spring-security-3.0.xsd">
          
            	<security:http use-expressions="true">
                  <security:form-login  
                  	login-processing-url="/static/j_spring_security_check" 
                  	login-page="/ui/login.ui" 
                  	authentication-failure-url="/ui/login.ui?login_error=t"/>
          	    <security:logout logout-url="/j_spring_security_logout"/>
          	  	<security:intercept-url pattern="/ui/**" access="permitAll" requires-channel="https"/>
          	    <security:intercept-url pattern="/p/**" access="isAuthenticated()" requires-channel="https"/>
          	    <security:intercept-url pattern="/pu/**" access="isAuthenticated()" requires-channel="https"/>
          		<security:custom-filter position="OPENID_FILTER" ref="openIdAuthFilter"/>
          	</security:http>
          
          	<security:authentication-manager alias="authenticationManager">
          		<security:authentication-provider ref="openIdAuthProvider"/>
          	</security:authentication-manager>
          
          	<bean id="openIdAuthProvider" class="org.springframework.security.openid.OpenIDAuthenticationProvider">
          		<property name="userDetailsService" ref="openIdUserDetailsService"></property>
          	</bean>
          
          	<bean id="openIdUserDetailsService" class="com.foo.spring.OpenIdUserDetailsService"/>
          
          	<bean id="openIdAuthFilter" class="org.springframework.security.openid.OpenIDAuthenticationFilter">
          		<property name="authenticationManager" ref="authenticationManager"/>
          		<property name="consumer" ref="openIdAuthConsumer"></property>
          	</bean>
          
           	<bean id="openIdAuthConsumer" class="org.springframework.security.openid.OpenID4JavaConsumer">
          		<constructor-arg index="0" ref="openIdAuthConsumerManager"></constructor-arg>
          		<constructor-arg index="1">
          			<list value-type="org.springframework.security.openid.OpenIDAttribute">
          				<bean class="org.springframework.security.openid.OpenIDAttribute">
          					<constructor-arg index="0" value="email"/>
          					<constructor-arg index="1" value="http://schema.openid.net/contact/email"/>
          					<property name="required" value="true"/>
          				</bean>
          				<bean class="org.springframework.security.openid.OpenIDAttribute">
          					<constructor-arg index="0" value="name"/>
          					<constructor-arg index="1" value="http://schema.openid.net/namePerson/friendly"/>
          					<property name="required" value="false"/>
          				</bean>
          			</list>
          		</constructor-arg>
           	</bean>
          	<bean id="openIdAuthConsumerManager" class="org.openid4java.consumer.ConsumerManager"/>
          	<!-- 
          		<constructor-arg index="0" ref="openIdRealmVerifierFactory"></constructor-arg>
          		<constructor-arg index="1" ref="openIdDiscovery"></constructor-arg>
          		<constructor-arg index="2" ref="openIdHttpFetcherFactory"></constructor-arg>
          	</bean>
          	<bean id="openIdRealmVerifierFactory" class="org.openid4java.server.RealmVerifierFactory">
          		<constructor-arg index="0" ref="openIdYadisResolver"></constructor-arg>
          	</bean>
          	<bean id="openIdYadisResolver" class="org.openid4java.discovery.yadis.YadisResolver">
           		<constructor-arg index="0" ref="openIdHttpFetcherFactory"></constructor-arg>
          	</bean>
          	<bean id="openIdHttpFetcherFactory" class="org.openid4java.util.HttpFetcherFactory">
           		<constructor-arg index="0" ref="openIdhttpProvider"></constructor-arg>
          	</bean> 
          	<bean id="openIdhttpProvider" class="com.technowobble.security.MyHttpCacheProvider"></bean>
          	<bean id="openIdDiscovery" class="org.openid4java.discovery.Discovery">
          		<constructor-arg index="0" ref="openIdHtmlResolver"></constructor-arg>
          		<constructor-arg index="1" ref="openIdYadisResolver"></constructor-arg>
          		<constructor-arg index="2" ref="openIdXriResolver"></constructor-arg>
          	</bean>
          	<bean id="openIdHtmlResolver" class="org.openid4java.discovery.html.HtmlResolver">
           		<constructor-arg index="0" ref="openIdHttpFetcherFactory"></constructor-arg>
          	</bean>
          	<bean id="openIdXriResolver" class="org.openid4java.discovery.xri.XriDotNetProxyResolver">
           		<constructor-arg index="0" ref="openIdHttpFetcherFactory"></constructor-arg>
          	</bean>
          	-->
          
          </beans>
          Now this seems promising. But based on trying it out with a few openid urls, it fails with a SSLHandshakeException in the YadisResolver. I've debugged right up to the commons-httpclient method execute at which point it blows. This might be a bug with commons-httpclient (3.0.1). I've tried adding the google ssl cert to my local truststore but still get the same failure.

          The openid urls I've tried with:

          https://www.google.com/accounts/o8/id
          https://me.yahoo.com

          Even if I use "http" instead, those openid services will just redirect to the SSL url and the failure still happens.

          Still tinkering however, I'll have to try it outside of the work DMZ later.

          -J

          Comment


          • #6
            SSL error

            javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target

            Comment


            • #7
              First issue: if you use the openid-login tag and try to add attributes it will fail with ClassCastException (and all the docs point that this is proper so that's no good):
              What exception are you getting? You're using Spr Sec 3.0.x, and not 3.1, right?
              But based on trying it out with a few openid urls, it fails with a SSLHandshakeException in the YadisResolver.
              This sounds like an issue with your network connectivity?

              Comment


              • #8
                You might try 3.1 as it demonstrates support for Google and Yahoo as an OP. If you need to use 3.0.x then this should still give you an idea of how to implement it. You can find the sample in master of git.

                Cheers,

                Comment


                • #9
                  also userService

                  Also, all the userService examples for allowing openid users is completely wrong. The assumption that each openid url by user is unique is not correct.

                  For example, what do you tag in here for the google openid? This would work the same for all users of google, so all google users are "supervisor" ... granted this is a simple example but all over the place people are making the assumption of unique openid url by user.

                  <user-service id="userService">
                  <user name="https://www.google.com/accounts/o8/id" password="notused"
                  authorities="ROLE_SUPERVISOR,ROLE_USER" />
                  </user-service>

                  Comment


                  • #10
                    Originally posted by j0h5 View Post
                    Also, all the userService examples for allowing openid users is completely wrong. The assumption that each openid url by user is unique is not correct.
                    Actually all identifiers must be unique for a user...how else would you uniquely identify the user using openid?

                    Originally posted by j0h5 View Post
                    <user name="https://www.google.com/accounts/o8/id"
                    The url https://www.google.com/accounts/o8/id is the OpenID Provider URL used to discover where to login to not the user's identifier. Real google openids look something like https://www.google.com/accounts/o8/i...KLFJDSjsadfiIW and are unique.

                    I highly recommend you run the working examples in either 3.0.x branch or 3.1 for some cool new stuff.

                    Comment


                    • #11
                      Ok

                      I'll dig into that tonight.

                      I mentioned that openid url bit b/c every example I see on the web has that for the userService entry, not the unique pointed url that comes back from the provider. Its just silly so I brought it up ;/

                      Comment


                      • #12
                        trustore issue

                        I had a few issues but the main YadisResolver exception was due to my trustore not setup correctly.

                        You have to get the certificate(s) from the openid providers and import them into your trustore, at least when you're doing dev and using self signed certs etc.

                        Comment

                        Working...
                        X