Announcement Announcement Module
Collapse
No announcement yet.
How to use org.springframework.social.security.SocialAuthenti cationFilter? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to use org.springframework.social.security.SocialAuthenti cationFilter?

    Hi,

    I'm trying to use org.springframework.social.security classes before they are released, so please help me if you can. My question is how to use SocialAuthenticationFilter.

    In Spring Social QuickStart example, there is ProviderSignInController to handle OAuth dance. If I use SocialAuthenticationFilter, do I still need it or not?

    Here is the security.xml:

    Code:
    	<http use-expressions="true" entry-point-ref="socialAuthenticationEntryPoint">
    		<custom-filter position="PRE_AUTH_FILTER" ref="socialAuthenticationFilter" />
    		<logout logout-url="/signout" delete-cookies="JSESSIONID" />
    		<intercept-url pattern="/resources/**" access="permitAll" />
    		<intercept-url pattern="/signin" access="permitAll" />
    		<intercept-url pattern="/signin/*" access="permitAll" />
    		<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    		<intercept-url pattern="/**" access="permitAll" />
    	</http>
    
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider ref="socialAuthenticationProvider" />
    	</authentication-manager>
    The JavaConfig with related configuration beans:

    Code:
        @Bean
        public SocialAuthenticationServiceLocator socialAuthenticationServiceLocator() {
            SocialAuthenticationServiceRegistry registry = new SocialAuthenticationServiceRegistry();
            OAuth2ConnectionFactory<Google> googleConnectionFactory = new GoogleConnectionFactory(environment.getProperty("google.clientId"),
                    environment.getProperty("google.clientSecret"));
            OAuth2AuthenticationService<Google> googleAuthenticationService = new OAuth2AuthenticationService<Google>(googleConnectionFactory);
            googleAuthenticationService.setScope("https://www.googleapis.com/auth/userinfo.profile");
            registry.addAuthenticationService(googleAuthenticationService);
            return registry;
        }
    
        @Inject
        private AuthenticationManager authenticationManager;
    
        @Bean
        public SocialAuthenticationFilter socialAuthenticationFilter() {
            SocialAuthenticationFilter filter = new SocialAuthenticationFilter(authenticationManager, accountService(),
                    usersConnectionRepository(), socialAuthenticationServiceLocator());
            filter.setFilterProcessesUrl("/signin");
            return filter;
        }
    
        @Bean
        public SocialAuthenticationProvider socialAuthenticationProvider(){
            return new SocialAuthenticationProvider(usersConnectionRepository(), accountService());
        }
        
        @Bean
        public LoginUrlAuthenticationEntryPoint socialAuthenticationEntryPoint(){
            return new LoginUrlAuthenticationEntryPoint("/signin");
        }
    Not sure this is the correct way to use it.

    So far I can sign in with google, but still struggle with SocialAuthenticationToken.

    Thanks.

  • #2
    Short answer: No, you don't need ProviderSignInController if you're using SocialAuthenticationFilter. In many ways, there's overlap in what they do.

    Even though there's overlap, they both serve a purpose. ProviderSignInController is agnostic with regard to the underlying security mechanism, enabling you to use it even if you're not using Spring Security. SocialAuthenticationFilter, on the other hand, is tightly integrated with Spring Security (thus requiring it) making Spring Social essentially part of the Spring Security authentication mechanism.

    As far as usage: I'm planning to work up an example app using SocialAuthenticationFilter in the next couple of days. I've been away on vacation and am just now getting my head back around how it works, so I'm ill-equipped to give you a direct answer at this time. But by mid-next week I should have something for you to look at as an example of how to use SocialAuthenticationFilter.

    Comment


    • #3
      Perfect timing

      I'm trying to use Spring Social to do sign in and automatic sign up in my blog app. Reading source code to understand the authentication mechanism is fun.

      Thank you for your reply.

      Comment


      • #4
        Originally posted by yuanji View Post
        Reading source code to understand the authentication mechanism is fun.
        Tell me about it! Most of that code was a community contribution, so I spent a *lot* of time reading the source code to figure out what was going on.

        Comment


        • #5
          The issue I have is with SocialAuthenticationToken. Its field principle is dynamically switched from ConnectionData to UserDetails. When SocialAuthenticationToken called SocialAuthenticationService getAuthToken(), the token principle was set to ConnectionData object, with authenticated set to false. And this token was passed to SocialAuthenticationProvider by filter, where this ConnectionData was used to retrieve userId, and a new SocialAuthenticationToken was created with principle set to UserDetails object from SocialUserDetailsService, and authenticated set to true.

          I don't feel comfortable with this design, that one field served two purposes. I suggest to keep the principle to UserDetails, and add a new field Connection<?> connection into SocialAuthenticationToken to keep the Connection.

          There is another reason I want to keep the connection. In SocialAuthenticationProvider.toUserId(), it can pass the Connection from token, and call usersConnectionRepository.findUserIdsWithConnectio n(connection), because in JdbcUsersConnectionRepository.findUserIdsWithConne ction(), it will call ConnectionSignUp to do automatic signup. The current code calls usersConnectionRepository.findUserIdsConnectedTo(p roviderId, providerUserIds), which will return empty set if cannot find signed up user.

          Just my 2 cents.

          Comment


          • #6
            SOCIAL-345 was raised for the spring-social-security code refactoring.

            Comment


            • #7
              Thanks for the pull request. I will be looking closely at this and get back to you if I have any questions or concerns.

              There are actually several loose-ends I'm working to tie up on the security stuff and it's taking me a bit longer than I'd like to pull them together. I intend to take a few days off next week for the Christmas holiday, but I'm hopeful to get this in a release-able state just on the other side of the new year. Your refactoring PR will be helpful, no doubt.

              Comment


              • #8
                Thank you Craig. I updated the social security code to handle redirect, so SEC-2102 is not needed.

                Have a nice holiday!

                Comment


                • #9
                  Update to my Spring Social Security experience:

                  http://www.jiwhiz.com/post/2013/1/Ad...to_Jiwhiz_Blog

                  Comment


                  • #10
                    Thanks for the writeup. Know that I'm still sorting through this, but I see an end to it soon. With any luck whatsoever (no promises), I hope to get most of the remaining issues cleared up this week and push a M2 release with the new security stuff in it by late this week or early next. I still have a few big challenges in the way, but I'm stubborn enough to get through them.

                    Comment


                    • #11
                      Thank you Craig.

                      I also posted my code about Customize Spring Social Connect Framework For MongoDB.

                      HTH

                      Comment


                      • #12
                        Hi Graig,
                        Originally posted by habuma View Post
                        Thanks for the pull request. I will be looking closely at this and get back to you if I have any questions or concerns........
                        Is there any chance the 'pull' will be merged into master after almost a month ?
                        Actually I'm interested party for using (patched) spring-social-security module in project. (Although I ran into my own problem in other thread).
                        Last edited by blandger; Jan 17th, 2013, 03:05 PM. Reason: small addition

                        Comment


                        • #13
                          Honestly, I thought I had merged it already. I did merge it into my own fork, but I never sent a pull request from my fork to the main project. That has been done now, so it should be there (and will shortly be in a snapshot build). Sorry for the delay.

                          FWIW, this is all working splendidly for me right now. The only thing remaining to make it complete is to enable it to work alongside the simplified configuration options introduced in Spring Social 1.1.0.M1. I think I have it playing nice with the JavaConfig options. Just a bit more testing there and then I make it work with the XML configuration options. Hope to push a milestone containing this sometime next week, assuming I don't run into any surprises.

                          Comment


                          • #14
                            Thank you Craig, finally it's done.

                            I'm trying to create 'canvas app' using Yuan's approach and code base from his excellent blog posts and I'm curious....
                            1. Is socialAuthenticationFilter can handle security issues for canvas FB web-app ?
                            2. How properly initialize it for canvas app? Say I have 'web ur = http://site/signin' and 'canvas url = http://site/signin/facebook/'

                            I added XML snipped into my security.xml as from start post.
                            I see it is initialized but I don't see it's being called (under debug) although it's contains
                            Code:
                            filter.setFilterProcessesUrl("/signin/");
                            I hit the break point in controller's code:
                            Code:
                            @RequestMapping(value = "/signin/")
                               	public String signin(NativeWebRequest request, Model model) {
                            ........
                            How properly config it and use ? Is it suitable for 'canvas' ?
                            Last edited by blandger; Jan 21st, 2013, 08:18 AM. Reason: one more update

                            Comment


                            • #15
                              Originally posted by habuma View Post
                              Honestly, I thought I had merged it already. I did merge it into my own fork, but I never sent a pull request from my fork to the main project. That has been done now, so it should be there (and will shortly be in a snapshot build). ........
                              Graig, Is it worth to upgrade gradle build file to latest Spring 3.2.0.RELEASE dependency, to be 'line up' with other libraries?
                              Code:
                                    springVersion = '3.2.0.RELEASE' //'3.1.3.RELEASE'
                                    springSecurityVersion = '3.1.3.RELEASE'
                              It compiles fine, tests don't fail, should run fine (I hope).
                              Last edited by blandger; Jan 21st, 2013, 12:28 PM. Reason: typo

                              Comment

                              Working...
                              X