OK, got the signin - signup with Twitter and Facebook working, but still not right

[bytor99999]

OK, I think what is happening is that they login with Facebook or Twitter and since they aren't a user yet in our application, they get directed to our registration page where they can enter a password and other information for our application. They save, and like perfection, they are also now logged in to our application. However, they don't seem to have the Roles that I added to the UserDetails object. And therefore some things that should show on the page aren't because of using <security> taglib. And it has things like <security:authorize access="hasRole('Player')">

Which since they aren't getting their role, it isn't showing. In my code for the post of signup has

Code:

if (accountSecurity != null) {
      accountSecurity.addRole(new UserRole());
      accountSecurity.setLastModified(new Date());
      accountService.save(accountSecurity);
      SpringSecuritySignInAdapter.signin(accountSecurity.getUsername());
      ProviderSignInUtils.handlePostSignUp(accountSecurity.getUsername(), request);
      return "redirect:/";
    }

As you can see in the code I add a UserRole, which by default is set to "Player" in its no-arg constructor. Then I save it to the database. I then run two lines I copied from the showcase and redirect back to our home page.

I think the adapter isn't really signing in to Spring Security as it would if the user logged in through the login page and j_spring_security_check happens. I am guessing the adapter signin method is making a fake Authentication object. So I think that might need to change.

Also, TextEncryptor. In the showcase it has noOpt, which can't be used in production, but I can't find anywhere in the Spring Social doc that explains how or what to use in production. Mostly how to get it setup and working. I know it comes from Spring Security, but I think the Spring Social docs needs to either link to an explaination (Since I found out a textEncryptor bean is mandatory in Spring Social configuration. If I leave it out it shows errors) or explain it in the docs.

The sample showcase is great, but there aren't any docs explaining what is what so it is a matter of guessing what is unique to that application versus all applications that would use Spring Social.

Thanks

Mark

[habuma]

You're right in saying that the adapter is responsible for handling the *full* signin of the user with Spring Security. The reason that the adapter exists is to allow Spring Social to work with *any* security mechanism, whether it's Spring Security or not. But a consequence of that is that the adapter has full responsibility for handling that. For the showcase sample, I'm only showing the minimal needed to get the user signed in. To handle other factors (roles, remember-me, etc), you'll need to beef it up some more.

But alternative, that's why the new SocialAuthenticationFilter was created. Rather than be security framework agnostic, SocialAuthenticationFilter is designed from the ground up to work with Spring Security. In fact, it plugs into Spring Security's filter chain just like any other authentication filter. The benefit with that is that it does everything a regular authentication filter would do, including handling the roles you need.

As for the TextEncryptor, have you even looked at the JavaDoc for the Encryptors class (http://static.springsource.org/sprin...ncryptors.html)? It offers more than no-op encryption through other static members. You could also bypass the Encryptors class and write your own implementation of TextEncryptor or BytesEncryptor if none of the ones out of the box suit your needs. But as you pointed out, that's a Spring Security question.

Again, the showcase is *just* a sample of Spring Social's capabilities and not intended to showcase other parts of the Spring portfolio. As such, I chose the no-op there as a simple, easy to debug encryptor and didn't bother explaining the Encryptors class or any other part of the Spring portfolio.

[bytor99999]

Thanks. Yes I did know all the other stuff in the Encryptor, and was using the text() then the queryableText() and it would give errors because it uses using 256 bit AES encryption. Which then requires downloading other files and installing them on all machines that this would be running on. I do like the idea of writing my own implementation.

(edit: nevermind found the filter and auth provider bean configuration)

Thanks

Mark

[bytor99999]

Sorry to ask this. But I see the beans here in the config SocialSecurityConfig. Which are mandatory, which are app specific? I understand this is new and because of it there is no documentation on it and what things mean, so that we can use it correctly in our applications.

So my questions on this

1) setFilterProcessesUrl("/auth");
What does that do? Is it required, is it something I then have to write code to that URL mapping? Although I do see in my intercept urls in my Security config that I have an "/auth" mapping, but not in any code. (I don't even remember typing that. Must have been a copy paste)

2) UserIdExtractor userIdExtractor()
Is this the same/part as what SpringSecurityAuthenticationNameUserIdSource was doing? And a replacement for it?

3) Simple Core questions. Does @Bean on a method with a parameter mean that that parameter gets Autowired too? Actually didn't know that.

Thanks again for your time. I know I am asking basic stupid questions. But sometimes I am really slow.

Mark

[habuma]

1. That is the base URL that the SocialAuthenticationFilter will trigger on. That is, any request whose path starts with "/auth" will cause SocialAuthenticationFilter to jump into action. (For example going to /auth/facebook will trigger SocialAuthenticationFilter to kick off sign in with Facebook.) That parameter defaults to "/auth", so setting it explicitly isn't required.

2. UserIdExtractor no longer exists. In the latest code, it has been merged with UserIdSource (from the configuration stuff) and moved to the org.springframework.social package. It is now used for both security and configuration purposes. Note that the choice for putting it in org.springframework.social was arbitrary and that I'm considering another move to a different (and probably new) package. Just be aware of that in case it breaks in some future build.

3. Yes. Parameters to @Bean methods will be autowired into that method.

[bytor99999]

Thanks.

One last question, I promise.

How to get the Spring Social Security classes. Is there an M1 version out there? I won't be able to get snapshots. I am not allowed. Although I made that rule for our company, so it would be very odd if I broke my own rules, then no one would follow my rules again.

Anyway, if there isn't an M1 version out there, then I can always fork like Yuan did.

Mark

[habuma]

It's not in 1.1.0.M1, but is to be part of 1.1.0.M2. I expect to cut that release early next week. (I was going to cut it this week but decided to give it a bit more time to gel and give some other team members opportunity to review it.)