spring-social-security by socialsignin

Many applications using Spring Security for authentication will need to:

• Ask users to sign up using a username and password.
• Create their own user details store and data access objects
• Provide account management (eg. forgotten password functionality)
• Provide access control for protected resources

For applications which already use spring-social to connect with external authenticated apis (eg. Facebook, Twitter) , SocialSignIn’s spring-social-security module removes these authentication concerns by delegating authentication in Spring Security via spring-social to the third party api. Authenticating your website users via spring-social api providers means:

• No need for users to remember another password for another site.
• No need for developers to create their own user details store, as the store used by spring-social is used instead.
• No need for developers to provide account management as this is provided by the third party api.
• SpringSocialSecurity can be easily customised to delegate access control decisions to third party api

Install

Build and install locally using mvn install

Add spring-social-security as a dependency for your webapp

For a simple "Hello World" app demonstrating spring-social-security see: https://github.com/socialsignin/spring-social-security-demo

To delegate the authentication for your app to Spring-Social, a number of spring beans must be set up.

To use the default beans/implementations/configuration, simply component scan:

<context:component-scan base-package="org.socialsignin.springframework.social.security" />

and register springSocialSecurityAuthenticationFilter as a custom filter in place of FORM_LOGIN_FILTER.

<security:custom-filter position="FORM_LOGIN_FILTER" ref="springSocialSecurityAuthenticationFilter" />

Also configure the entry-point for your app's authentication to be the page from which users can login/connect with a Spring-Social provider (usually a page with a form submit to ProviderSignInController or ConnectController), and configure an environmental property (socialsignin.signUpView) for a page where user can choose a username when creating an account which posts a "userId" to the url "/signup" (handled by SpringSocialSecuritySignUpController)

For example:

<bean id="springSocialSecurityEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <property name="loginFormUrl" value="/oauthlogin.jsp"/> </bean>

<security:http use-expressions="true" entry-point-ref="springSocialSecurityEntryPoint" ....

As an alternative to component-scanning for the default implementations, you have the option to register your own beans/provide custom implementations.

The classes which are registered as beans by default through component-scanning are:

• SpringSocialSecurityAuthenticationFilter (required)
• SpringSocialSecuritySignInService (required)
• SpringSocialSecurityUserDetailsService (required)
• SimpleUserAuthoritiesService (one implementation of UserAuthoritiesService is required)
• SpringSocialSecuritySignUpController (optional - for handling UI for creating new local accounts - alternative controllers could be used instead)
• SpringSocialSecurityConnectionSignUp (optional - for implictly creating new local accounts. If used, the SpringSocialSecurityJdbcUsersConnectionRepository must be used in place of standard JdbcUsersConnectionRepository to workaround and issue with JdbcUsersConnectionRepository not handling null return values from ConnectionSignUp's properly)

Authors

Michael Lavelle (michael@lavelle.name)

Contact

(michael@lavelle.name)

Download

You can download this project in either zip or tar formats.

You can also clone the project with Git by running:

$ git clone git://github.com/socialsignin/spring-social-security