Open source project looking for advise/help for integrating with Spring Security

[marceloverdijk]

Hi,

I've developed the Janrain4j open source library (janrain4j.googlecode.com).
Now I like to provide integration classes for Spring Security.

I've read the Spring Security docs and examples but still looking for some good starting points advise.

First of all I will explain how the Janrain authentication works.
Janrain allows users to login with then social/openid providers like Facebook, Twitter, LinkedIn or a general openid url. After authenticating Janrain gives back user details like name, display name, preferred user names, email, friend list etc depending with what provider you signed in.
Janrain4j is Java implementation of the Janrain HTTP API.

How does this work technically.

1) On login pages I embed a widget / sign in link which on click redirects to the Janrain site.
2) Janrain will take care of the actual signing in using redirect to chooses provider to sign in with. Nothing is happening inside our application for this.
3) After signing in, Janrain redirects back to our application on a configurable url: like www.myapp/token
3) Janrain passes also token request param which is needed to retrieve the user details. Retrieving the user details (and getting back a Java object) can be done with the Janrain4j library.
4) When the user details are retrieved we can do what we want with it. Store all data in our local database or pre-fill an account creation page.

Now I like to provide Spring Security integration.
I think I need the PreAuthentication scenario but I'm a little but stuck.

Do I need:
- JanrainAuthenticationFilter
- JanrainAuthenticationProvider
or is a JanrainAuthenticationFilter enough?
And where should I retrieve the user details?

What I like to offer is:
- PreAuthentication
- Something pluggable so users can decide upon sign in what to do with the user data.

Hope somebody can help

[Luke Taylor]

Hi,

Sounds like something along the lines of CAS or OpenID would be a good template. Pre-authentication is mainly directed at sites where the user is always authenticated by an external system before they access the app.

You might also want to consider the possibility of "on-demand" authentication by writing an AuthenticationEntryPoint, so the user is sent off to authenticate when they try to access a protected resource. The GAE integration article I wrote a while back might also have some relevant content.

[marceloverdijk]

Thanks Luke,

I had both a look at the openid and GAE implementations.

One thing I don't understand is the difference between the filter.attemptAuthentication and authenticationManager.authenticate.

I've implemented a custom filter, but do I also need a custom provider.
What could be the benefit of a provider?
It seems in the filter I can do everything needed, or am I missing something fundamentally?


Cheers,
Marcel

[Luke Taylor]

You can do everything in a filter if you want, but traditionally there has been a separation of the front end and back end parts of the authentication process.

For example, a username/password form authentication could be handled by an LDAP or a JBDC back end, or an RMI. The front end could be using Basic authentication instead of a form, or it could be subitted over RMI instead of HTTP.

The exact details will depend on the authentication protocol and how additional user information is supplied as part of the process.

[marceloverdijk]

Hi Luke,

Another question related to the GAE example.

After logging in with Google the application redirects to the register page.
But it is not forced the user actually fills in this register form.

Is there a way how to solve this?

E.g. that everytime you go to a page which requires authentication that the register page is displayed?

[Luke Taylor]

The GAE app prevents the user from doing anything else until they have registered. If they choose to ignore the registration page and try to access the home page, they will get an access denied error.

You can just redirect to the registration page every time if the user has the "new user" role.