Spring Security + Spring Social + Filters

[shad]

Hello,

I'm trying to do something close but I try to keep using the spring-social signin mechanism.

However, I would like to facilitate signup when coming from twitter (or any other 3rd party), for example by automatically fill the accout name with the providerAccountId.

I've been looking for an easy way to get the data in the signup controller but without any success. Here is the dirty hack I use (for twitter only for the moment):

Code:

	@RequestMapping(value="/signup", method=RequestMethod.GET)
	public String signUp(Model model,WebRequest request) {
		ProviderSignInAttempt signInAttempt = (ProviderSignInAttempt) request.getAttribute(ProviderSignInAttempt.SESSION_ATTRIBUTE, WebRequest.SCOPE_SESSION);
		if (signInAttempt instanceof OAuth1ProviderSignInAttempt) {
			OAuth1ProviderSignInAttempt obj = (OAuth1ProviderSignInAttempt)signInAttempt;
			try {
				Field f = obj.getClass().getDeclaredField("accessToken");
				f.setAccessible(true);
				String accessToken = (String) f.get(obj); 
				Field f2 = obj.getClass().getDeclaredField("accessTokenSecret");
				f2.setAccessible(true);
				String accessTokenSecret = (String) f2.get(obj); 
				Field f3 = obj.getClass().getDeclaredField("serviceProviderLocator");
				f3.setAccessible(true);
				AbstractOAuth1ServiceProvider<?> serviceProvider  = (AbstractOAuth1ServiceProvider<?>)((Provider<? extends OAuth1ServiceProvider<?>>) f3.get(obj)).get(); 
				Field f4 = serviceProvider.getClass().getSuperclass().getDeclaredField("consumerKey");
				f4.setAccessible(true);
				String consumerKey = (String) f4.get(serviceProvider); 
				Field f5 = serviceProvider.getClass().getSuperclass().getDeclaredField("consumerSecret");
				f5.setAccessible(true);
				String consumerSecret = (String) f5.get(serviceProvider); 
				TwitterTemplate  t =  new TwitterTemplate(consumerKey, consumerSecret, accessToken, accessTokenSecret);
				
				//t.getProfileId());
							
			} catch (SecurityException e) {
				e.printStackTrace();
			} catch (NoSuchFieldException e) {
				e.printStackTrace();
			} catch (IllegalAccessException e) {
				e.printStackTrace();
			}

Is there any "legal" way to do the same thing ?

Thanks

Shad

[Keith Donald]

Would suggest taking a look at the latest code on github.

Keith

[shad]

I've been looking at the latest github code and did not find exactly what I'm looking for.

There is now a better way to get the provider API like in https://github.com/SpringSource/spri...eProvider.java

Code:

public TwitterApi getServiceApi(String accessToken, String secret) {
		return new TwitterTemplate(getConsumerKey(), getConsumerSecret(), accessToken, secret);
	}

But I still don't figure how to get the accessToken and secret in the signup controller. Am I missing something ?

I thnink that the easier way could be adding two methods in https://github.com/SpringSource/spri...InAttempt.java :
- something like : public String getProviderAccountId()
- a more advanced method to get the provider api object (something close to the getServiceApi method but without the need to send the accessToken neither the secret)

Thanks for your support

[Keith Donald]

It would be helpful to understand what you're trying to do. Why would you need to customize the ProviderSigninController and work with an accessToken and secret yourself? You might want to review the new code in ProviderSignInController in the spring-social-web module--its designed to work in a generic manner and does capture the providerAccountId when creating and adding a ServiceProviderConnection.

Keith

[shad]

I want to simplify the signup process when a user is using a 3rd party provider such as twitter or facebook.
Basically I want to prefill the signup form with some details from the external account (such as profile picture, providerAccountName, etc...)

[shad]

After looking at the latest github code, perhaps getting access to the connection attribute of ProviderSigninAttempt is what I need to fit my requirements.

[Keith Donald]

Ok, now we're getting somewhere. What exact "provider user" fields do you need to obtain to populate your signup form? Would you expect to send these field values through as parameters in a redirect to the signup form, or store them in session scope through the signup process?

[shad]

For the moment I need the providerAccountId/screenname and profile picture url. But I suggest that you provide a way to get the full api template for more advanced usage (in this case it's probably up to the developper to transtype what you return into to the native template object)

I'm not sure what is the best way to make this available to the developpers.
Storing it in the session and having a function in https://github.com/SpringSource/spri...gnInUtils.java may be the easiest way.

Using request parameters is not my favorite option because some developpers might innocently trust untrusted input.

[Keith Donald]

Well, take a look at the ServiceProviderConnection interface and the ServiceProviderUser object returned from getUser() and let me know if that meets your needs. If you need the specific provider API, you can call getServiceApi() however you'd be tying yourself to a specific provider then. The ServiceProviderConnection is designed to provide the uniform interface and that's what I want to make sure has the right balance of "common properties".

Keith

[shad]

That seems fine as soon as I can get an instance of this connection object.

Is it acceptable to provide an accessor to

private final ServiceProviderConnection<?> connection; in ProviderSignInAttempt (https://github.com/SpringSource/spri...InAttempt.java)

In this case I agree that developpers should use the getUser() method for all common attributes.