Documentation for Spring Social Security 1.1.0 M2

[scottland]

Is there any documentation or sample apps that use the new Spring Security integration?

What benefits does this new module provide to an app that already is using Spring Social + Spring Security?

[habuma]

I'm holding off on writing any documentation on the new stuff because I want to let it settle and be sure that what I'm writing about is what will be in the GA release. (In other words, I don't want to revisit the docs if I end up changing something prior to cutting the GA release.)

But there are two examples that show how it is used: At https://github.com/SpringSource/spring-social-samples they are the two spring-social-showcase examples that have "sec" in their name.

This new module offers essentially the same functionality as the existing ProviderSignInController, except that it's more integrated with Spring Security. ProviderSignInController, by design, is flexible with regard to security mechanism and lets you plug in whatever security mechanism you want (including Spring Security). But that leaves it entirely up to you to write a fully-fleshed out Spring Security-aware signin adapter.

This new module, on the other hand, is centered around SocialAuthenticationFilter, a filter that plugs directly into Spring Security's filter chain just like Spring Security's other authentication filters. As a consequence, it is a better fit for apps secured with Spring Security.

In short: SocialAuthenticationFilter is the best choice when an app is using Spring Security and ProviderSignInController is the best choice when the app is not using Spring Security.

[petersaints]

But SocialAuthenticationFilter can also be used to do sign up in case the user hasn't connected the account yet? Just like described in http://static.springsource.org/sprin...#signin_signup for ProviderSignInController? It seems that the filter will only work well for accounts already connected to a previously registered Spring Security user. Is there any way to catch the authentication failure and try to leverage the information collected from the social network to do implicit (or at least assisted) sign up?

[habuma]

Yes, it will behave very similarly to ProviderSignInController. Again, if you look at those samples I mentioned, you'll find that ProviderSignInController is no longer in use, but the app behaves the same as before. That is, if the connection already exists, the user will be signed in--if no matching connection exists, then the user will be directed to the signup page, after which the signup code can complete the connection via ProviderSignInUtils.