This project provides support for creating a "Login with <insert name of social network here>" function in your Springframework-Application. It uses Scribe from fernandezpablo85 as OAuth client library.
Download sources and then run:
$ mvn install
Or import the repo:
<repository>
<id>Plechi Security Scribe Repo</id>
<url>https://raw.github.com/plechi/spring-security-scribe/mvn-repo/</url>
<snapshots>
<enabled>true</enabled>
<updatePolicy>always</updatePolicy>
</snapshots>
</repository>
Then include the dependency in your pom.xml
:
<dependency>
<groupId>at.plechinger.spring.security.scribe</groupId>
<artifactId>spring-security-scribe</artifactId>
<version>0.2-SNAPSHOT</version>
</dependency>
You might also need the Dependency for Jackson. (If you use Spring-Boot it might be already in your classpath)
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.4.4</version>
</dependency>
The library is not available in any public maven repository yet.
Spring application context configuration:
<http access-denied-page="error.jsp" use-expressions="true" entry-point-ref="authenticaionEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="protected.jsp" access="isAuthenticated()" />
<intercept-url pattern="/**" access="permitAll" />
<logout logout-url="/logout" logout-success-url="index.jsp"/>
<custom-filter before="FORM_LOGIN_FILTER" ref="scribeAuthenticationFilter"/>
</http>
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="scribeAuthenticationProvider"/>
</authentication-manager>
<bean id="authenticaionEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="index.jsp" />
</bean>
<bean id="scribeAuthenticationProvider"
class="at.plechinger.spring.security.scribe.ScribeAuthenticationProvider">
<property name="userDetailsService" ref="userService"/>
</bean>
<bean id="scribeAuthenticationFilter"
class="at.plechinger.spring.security.scribe.ScribeAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="protected.jsp" />
<property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>
</property>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="error.jsp" />
</bean>
</property>
<property name="filterProcessesUrl" value="/login"/>
<property name="providerConfigurations">
<list>
<bean class="at.plechinger.spring.security.scribe.provider.FacebookProviderConfiguration">
<property name="apiKey" value="1234567890"/>
<property name="apiSecret" value="ABCDEFGHIJKLMNOPQRSTUVWXYZ" />
</bean>
</list>
</property>
</bean>
Now you can login with Facebook by calling /login
in your browser.
That's it. If the authentication was successful, you can get the user's credentials by retrieving the Authentication
object from the SecurityContext
.
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
The Authentication-Object is from type ScribeAuthentication
.
The username you retrieve would be oauth_facebook_<facebook uid>
.
###Facebook and Twitter### This library comes with two built-in Configurations for Facebook and Twitter. You can use them just by setting the OAuth-API Key and the Application Secret you get when you register your applications:
Facebook:
<bean class="at.plechinger.spring.security.scribe.provider.FacebookProviderConfiguration">
<property name="apiKey" value="1234567890"/>
<property name="apiSecret" value="ABCDEFGHIJKLMNOPQRSTUVWXYZ" />
</bean>
Twitter:
<bean class="at.plechinger.spring.security.scribe.provider.TwitterProviderConfiguration">
<property name="apiKey" value="1234567890"/>
<property name="apiSecret" value="ABCDEFGHIJKLMNOPQRSTUVWXYZ" />
</bean>
You can easy use every OAuth-Provider scribe supports (full list here) by configuring following (same as Twitter example above)
<bean class="at.plechinger.spring.security.scribe.provider.CustomizableProviderConfiguration">
<property name="apiKey" value="1234567890"/>
<property name="apiSecret" value="ABCDEFGHIJKLMNOPQRSTUVWXYZ" />
<!--username prefix-->
<property name="usernamePrefix" value="oauth_twitter_"/>
<!--Scribe API Class-->
<property name="apiClass" value="org.scribe.builder.api.TwitterApi" />
<!--parameter to get the verify code from the callback url-->
<property name="verifyParameter" value="oauth_verifier"/>
<!--following lines are used to determine the User's uid at Twitter:-->
<!--REST-API-URL to retrieve user details-->
<property name="userDetailsUrl" value="https://api.twitter.com/1.1/account/verify_credentials.json" />
<!--JSON-Key of the uid in the result of the REST-Call above-->
<property name="userIdToken" value="id"/>
</bean>
There are still many things to do
- fix annotation based sample project
- better documentation (especially javadoc)
- more implementations of configurations
I actually have very small resources left to maintain the project, but i'm very omtimistic to work on it from time to time. There is also a productive enviroment which uses this library, so critical issues will be fixed very fast.
Email me: lukasplechinger at gmail.com