How to use org.springframework.social.security.SocialAuthenti cationFilter?

[yuanji]

Hi,

I'm trying to use org.springframework.social.security classes before they are released, so please help me if you can. My question is how to use SocialAuthenticationFilter.

In Spring Social QuickStart example, there is ProviderSignInController to handle OAuth dance. If I use SocialAuthenticationFilter, do I still need it or not?

Here is the security.xml:

Code:

	<http use-expressions="true" entry-point-ref="socialAuthenticationEntryPoint">
		<custom-filter position="PRE_AUTH_FILTER" ref="socialAuthenticationFilter" />
		<logout logout-url="/signout" delete-cookies="JSESSIONID" />
		<intercept-url pattern="/resources/**" access="permitAll" />
		<intercept-url pattern="/signin" access="permitAll" />
		<intercept-url pattern="/signin/*" access="permitAll" />
		<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
		<intercept-url pattern="/**" access="permitAll" />
	</http>

	<authentication-manager alias="authenticationManager">
		<authentication-provider ref="socialAuthenticationProvider" />
	</authentication-manager>

The JavaConfig with related configuration beans:

Code:

    @Bean
    public SocialAuthenticationServiceLocator socialAuthenticationServiceLocator() {
        SocialAuthenticationServiceRegistry registry = new SocialAuthenticationServiceRegistry();
        OAuth2ConnectionFactory<Google> googleConnectionFactory = new GoogleConnectionFactory(environment.getProperty("google.clientId"),
                environment.getProperty("google.clientSecret"));
        OAuth2AuthenticationService<Google> googleAuthenticationService = new OAuth2AuthenticationService<Google>(googleConnectionFactory);
        googleAuthenticationService.setScope("https://www.googleapis.com/auth/userinfo.profile");
        registry.addAuthenticationService(googleAuthenticationService);
        return registry;
    }

    @Inject
    private AuthenticationManager authenticationManager;

    @Bean
    public SocialAuthenticationFilter socialAuthenticationFilter() {
        SocialAuthenticationFilter filter = new SocialAuthenticationFilter(authenticationManager, accountService(),
                usersConnectionRepository(), socialAuthenticationServiceLocator());
        filter.setFilterProcessesUrl("/signin");
        return filter;
    }

    @Bean
    public SocialAuthenticationProvider socialAuthenticationProvider(){
        return new SocialAuthenticationProvider(usersConnectionRepository(), accountService());
    }
    
    @Bean
    public LoginUrlAuthenticationEntryPoint socialAuthenticationEntryPoint(){
        return new LoginUrlAuthenticationEntryPoint("/signin");
    }

Not sure this is the correct way to use it.

So far I can sign in with google, but still struggle with SocialAuthenticationToken.

Thanks.

[habuma]

Short answer: No, you don't need ProviderSignInController if you're using SocialAuthenticationFilter. In many ways, there's overlap in what they do.

Even though there's overlap, they both serve a purpose. ProviderSignInController is agnostic with regard to the underlying security mechanism, enabling you to use it even if you're not using Spring Security. SocialAuthenticationFilter, on the other hand, is tightly integrated with Spring Security (thus requiring it) making Spring Social essentially part of the Spring Security authentication mechanism.

As far as usage: I'm planning to work up an example app using SocialAuthenticationFilter in the next couple of days. I've been away on vacation and am just now getting my head back around how it works, so I'm ill-equipped to give you a direct answer at this time. But by mid-next week I should have something for you to look at as an example of how to use SocialAuthenticationFilter.

[yuanji]

Perfect timing

I'm trying to use Spring Social to do sign in and automatic sign up in my blog app. Reading source code to understand the authentication mechanism is fun.

Thank you for your reply.

[habuma]

Reading source code to understand the authentication mechanism is fun.

Tell me about it! Most of that code was a community contribution, so I spent a *lot* of time reading the source code to figure out what was going on.

[yuanji]

The issue I have is with SocialAuthenticationToken. Its field principle is dynamically switched from ConnectionData to UserDetails. When SocialAuthenticationToken called SocialAuthenticationService getAuthToken(), the token principle was set to ConnectionData object, with authenticated set to false. And this token was passed to SocialAuthenticationProvider by filter, where this ConnectionData was used to retrieve userId, and a new SocialAuthenticationToken was created with principle set to UserDetails object from SocialUserDetailsService, and authenticated set to true.

I don't feel comfortable with this design, that one field served two purposes. I suggest to keep the principle to UserDetails, and add a new field Connection<?> connection into SocialAuthenticationToken to keep the Connection.

There is another reason I want to keep the connection. In SocialAuthenticationProvider.toUserId(), it can pass the Connection from token, and call usersConnectionRepository.findUserIdsWithConnectio n(connection), because in JdbcUsersConnectionRepository.findUserIdsWithConne ction(), it will call ConnectionSignUp to do automatic signup. The current code calls usersConnectionRepository.findUserIdsConnectedTo(p roviderId, providerUserIds), which will return empty set if cannot find signed up user.

Just my 2 cents.

[yuanji]

SOCIAL-345 was raised for the spring-social-security code refactoring.

[habuma]

Thanks for the pull request. I will be looking closely at this and get back to you if I have any questions or concerns.

There are actually several loose-ends I'm working to tie up on the security stuff and it's taking me a bit longer than I'd like to pull them together. I intend to take a few days off next week for the Christmas holiday, but I'm hopeful to get this in a release-able state just on the other side of the new year. Your refactoring PR will be helpful, no doubt.

[yuanji]

Thank you Craig. I updated the social security code to handle redirect, so SEC-2102 is not needed.

Have a nice holiday!

[yuanji]

Update to my Spring Social Security experience:

http://www.jiwhiz.com/post/2013/1/Ad...to_Jiwhiz_Blog

[habuma]

Thanks for the writeup. Know that I'm still sorting through this, but I see an end to it soon. With any luck whatsoever (no promises), I hope to get most of the remaining issues cleared up this week and push a M2 release with the new security stuff in it by late this week or early next. I still have a few big challenges in the way, but I'm stubborn enough to get through them.