Announcement Announcement Module
No announcement yet.
Mix Spring Social Security with regular security? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mix Spring Social Security with regular security?

    I noticed that there is a spring social security project on github that is not maintained by spring and one that is maintained by spring but doesn't have any documentation. Are these the same?

    The documentation that is available suggests that Spring Social Security can act as a replacement for normal "login/security" for a site. I use Spring as an alternative way to sign in/sign up, I imagine that most people use it that way. In this case, I would also like to do things like execute the LoginSuccessHandler etc.

    So, can you use this integration in this way also? Are there any special considerations for this?

    Kind regards,

  • #2
    I'm unclear on which projects you're referring to, but I assume that the one that is "maintained by Spring" and doesn't have documentation is the one at

    First, know that documentation is forthcoming. If I weren't overwhelmed preparing for SpringOne/2GX next week, I'd be writing that documentation right now. Expect the documentation to start taking shape over the next few weeks.

    The main thing that the spring-social-security project brings to the table is SocialAuthenticationFilter, a proper Spring Security authentication filter. That means that it plugs into Spring Security's filter chain just like any other authentication filter (like UsernamePasswordAuthenticationFilter). They can even work alongside those other authentication filters to offer multiple approaches to authentication.

    Because it's *just* an authentication filter, it can work with any of the other features of Spring Security. Because it extends AbstractAuthenticationProcessingFilter, I'd imagine that you would have no trouble using it with an AuthenticationSuccessHandler (although, admittedly, I've not tried this yet...sounds like I have a new TODO item).

    SocialAuthenticationFilter is a parallel component to Spring Social's ProviderSignInController. If you're using Spring Security for security then I recommend SocialAuthenticationFilter; ProviderSignInController is better when Spring Security isn't in play.

    SocialAuthenticationFilter is relatively new and although I've received some feedback on it, I'd appreciate more feedback. Try it out and let me know if something doesn't work the way you think it should.


    • #3
      how to force the user to login on facebook for multiple users in same browser using spring social ?
      i have used auth_type = "reauthentication" as parameter to Oauth2Parameter ?
      But i didnt get the answer.


      • #4

        Is the spring-social-security project you mention (that isn't supported by Spring ), this one provided by the SocialSignin project?

        If so, I've written a blog post describing the two projects and highlighting the differences in high-level user-flow with the two implementations - to help clear up the confusion caused by the projects having the same name.

        The SocialSignIn project was created before the official Spring project back in 2011, when I felt there was a need for tighter integration between Spring Social/Spring Security. Whist similar in many ways, the aims of the projects are somewhat different - the original intention of the SocialSignIn version was to provide security solely based on connection status with SaaS providers - ie. provide an alternative to implementing local username/password security.

        The most recent version of the SocialSignin spring-social-security project can be used in this way (as an alternative to username/password security) or can sit alongside an an additional authentication mechanism.

        If these were the 2 projects that were referred to in the original post, I hope this post helps.


        Michael Lavelle