Announcement Announcement Module
No announcement yet.
Spring Security + Spring Social + Filters Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security + Spring Social + Filters

    I've created a blog entry for some recent development I did to get Spring Social working with Spring Security via a AuthenticationFilter (as opposed to a SignInController).

    Hopefully this will serve a couple of purposes:
    1) It may be of use to other developers integrating Spring Social.
    2) It should demonstrate a particular use-case for Spring Social authentication that the current SignInControllers do not address. As such, hopefully the developers for Spring Social will have a look, in particular at the hacks I had to do for it to work and consider if this in something they might want to look at in future releases.

  • #2
    Hi Abandonfish,

    I've just came here to post my own finding. I think that could be called bad timing

    Anyway, here is my code: spring-social-security at GitHub

    My main intention so far was populating SecurityContext from Facebook cookies, that's why I was looking closely at the RememberMeAuthenticationFilter for my implementation. Still, I'd be happy if you had a look and give some thoughts. I'll do the same with your blog post. Maybe it makes sense to join forces.

    Cheers, Stefan


    • #3
      That's great. Just highlights the need for the Filter based approach doesn't it? I've just started to look at your code and fortunately we haven't done exactly the same thing. So we should be able to figure out the best of both worlds and aim towards a design that fits everyone's authentication requirements.


      • #4
        Hey guys,

        So if I try to sum up your requirements it looks like:
        1. You'd like to see a Spring Security Filter that could authenticate the user by one of their provider accounts.
        2. You'd like the ability to create a local user profile implicitly without requiring the user to complete a registration form.

        Does this sum it up? Let us know if we are missing anything.



        • #5
          I'd be very happy if those features found their way into a future release. Thanks Keith.


          • #6

            1. Definitely a requirement, that's what both of us did so far, differently though
            2. Sounds like a nice to have feature, not strictly required for spring-security integration though.

            What is still missing is a non-spring-mvc way to connect existing/new users to a service provider. That's what Abandonfish did. I focused on authenticating users based on information from the current request (i.e. FB cookies).

            I'll try to reuse Abandonfish's code in our GitHub project. Hence you could easily fork it from there to make it part of core at a later stage.


            • #7
              Some more discussion on the provider authentication model is happening here:


              • #8

                I've just forked spring-social and added spring-social-security as a sub module: I'll send a pull request as soon as I think it's ready.

                Next step will be to integrate Tim's (Abandonfish's) work.


                • #9
                  Any updates on this, can we expect Spring Security support rolled back into Spring Social anytime soon?


                  • #10
                    as far as I'm concerned, I still plan working on it. Unfortunately, some other tasks are keeping me busy right now. Nevertheless, it's a high priority on my ToDo-pile. I can't decide whether it will be rolled back into spring-social though.


                    • #11
                      How to get signin info in signup controller


                      I'm trying to do something close but I try to keep using the spring-social signin mechanism.

                      However, I would like to facilitate signup when coming from twitter (or any other 3rd party), for example by automatically fill the accout name with the providerAccountId.

                      I've been looking for an easy way to get the data in the signup controller but without any success. Here is the dirty hack I use (for twitter only for the moment):

                      	@RequestMapping(value="/signup", method=RequestMethod.GET)
                      	public String signUp(Model model,WebRequest request) {
                      		ProviderSignInAttempt signInAttempt = (ProviderSignInAttempt) request.getAttribute(ProviderSignInAttempt.SESSION_ATTRIBUTE, WebRequest.SCOPE_SESSION);
                      		if (signInAttempt instanceof OAuth1ProviderSignInAttempt) {
                      			OAuth1ProviderSignInAttempt obj = (OAuth1ProviderSignInAttempt)signInAttempt;
                      			try {
                      				Field f = obj.getClass().getDeclaredField("accessToken");
                      				String accessToken = (String) f.get(obj); 
                      				Field f2 = obj.getClass().getDeclaredField("accessTokenSecret");
                      				String accessTokenSecret = (String) f2.get(obj); 
                      				Field f3 = obj.getClass().getDeclaredField("serviceProviderLocator");
                      				AbstractOAuth1ServiceProvider<?> serviceProvider  = (AbstractOAuth1ServiceProvider<?>)((Provider<? extends OAuth1ServiceProvider<?>>) f3.get(obj)).get(); 
                      				Field f4 = serviceProvider.getClass().getSuperclass().getDeclaredField("consumerKey");
                      				String consumerKey = (String) f4.get(serviceProvider); 
                      				Field f5 = serviceProvider.getClass().getSuperclass().getDeclaredField("consumerSecret");
                      				String consumerSecret = (String) f5.get(serviceProvider); 
                      				TwitterTemplate  t =  new TwitterTemplate(consumerKey, consumerSecret, accessToken, accessTokenSecret);
                      			} catch (SecurityException e) {
                      			} catch (NoSuchFieldException e) {
                      			} catch (IllegalAccessException e) {

                      Is there any "legal" way to do the same thing ?




                      • #12
                        Would suggest taking a look at the latest code on github.



                        • #13
                          I've been looking at the latest github code and did not find exactly what I'm looking for.

                          There is now a better way to get the provider API like in

                          public TwitterApi getServiceApi(String accessToken, String secret) {
                          		return new TwitterTemplate(getConsumerKey(), getConsumerSecret(), accessToken, secret);
                          But I still don't figure how to get the accessToken and secret in the signup controller. Am I missing something ?

                          I thnink that the easier way could be adding two methods in :
                          - something like : public String getProviderAccountId()
                          - a more advanced method to get the provider api object (something close to the getServiceApi method but without the need to send the accessToken neither the secret)

                          Thanks for your support


                          • #14
                            It would be helpful to understand what you're trying to do. Why would you need to customize the ProviderSigninController and work with an accessToken and secret yourself? You might want to review the new code in ProviderSignInController in the spring-social-web module--its designed to work in a generic manner and does capture the providerAccountId when creating and adding a ServiceProviderConnection.



                            • #15
                              I want to simplify the signup process when a user is using a 3rd party provider such as twitter or facebook.
                              Basically I want to prefill the signup form with some details from the external account (such as profile picture, providerAccountName, etc...)