Hot questions for Spring Social

Top 10 Java Open Source / Spring / Spring Social

Question:

In a Spring Boot application, I have an OAuth2 Authorization/Resource servers. Based on this and Spring Security, I have secured my Spring MVC REST API endpoints.

In addition to this, I'd like to add authentication to my REST endpoints based on 3rd party OAuth providers like Twitter, Facebook, Google.

In my application I have two entities - User and SocialUser. SocialUser represents user profile in social networks. User can have 0-* associated SocialUsers. Right now I can authenticate a user in Twitter and after that I'm creating two records in my database - User and SocialUser. SocialUser contains access/refresh tokens issued by Twitter and some other profile information from this social network.

Right now I don't know how to link this User created from social network with my existing authentication\authorization flow. For this user I'd like to create my own(by my own OAuth2 authorization server) accessToken and provide it to the client.

Also, this user doesn't have username, password and email in his User entity. And also I don't know how to manually create my own access Token and send it to the client for future API calls.

I found some example:

@Inject
private TokenEndpoint tokenEndpoint;

public String createAccessToken(User user) {
    HashMap<String, String> parameters = new HashMap<String, String>();
    parameters.put("client_id", "appid");
    parameters.put("client_secret", "myOAuthSecret");
    parameters.put("grant_type", "password");
    parameters.put("password", user.getPassword());
    parameters.put("scope", "read write");
    parameters.put("username", user.getUsername());

    // principal ??
    return tokenEndpoint.getAccessToken(principal, parameters);
}

but I don't know how to create Principal based on my User entity and also I'm not sure that this is a correct way to go.

So, the main question is - how to manually generate this new token through my own OAuth server for this new user?

Please advise me how can it be correctly implemented. Thanks.

UPDATED:

I have added ProviderSignInController to my application and able right now to perform full OAuth dance with Twitter. Also, I have implemented my own Neo4jConnectionRepository and Neo4jUsersConnectionRepository because I use Neo4j as a primary database.

@Bean
public ProviderSignInController providerSignInController() {
    return new ProviderSignInController(socialAuthenticationServiceLocator, usersConnectionRepository, new SignInAdapter() {

        @Override
        public String signIn(String userId, Connection<?> connection, NativeWebRequest request) {
            System.out.println("User ID: " + userId + " social display name: " + connection.getDisplayName());
            return null;
        }
    });
}

So far, everything works good.

The one question is - how to authenticate/authorize User through my own OAuth2 Authorization server in the SignInAdapter.signIn method ?

I think I need to create OAuth2Authentication object for this user and put it into Security context.. Am I right ? If so, could you please show me an example how can this be implemented ?


Answer:

So what you want to achieve is : when clients redirect users to your authorization server (authorization code or implicit grant) in order to obtain a token, the user can log-in using his favorite social network.

If I understand correctly, you have rolled your own implementation of single sign on (SSO) with Twitter (ProviderSignInController), and now you're left wondering how to generate a token when Twitter responds "OK".

I think you took the problem by the wrong end : Instead of building your Twitter client and generating a token programmatically, the idea is to integrate social SSO inside the flow of spring-security-oauth2, which in reality is how to integrate social SSO in Spring Security.

In the end, it's about how your authorization server secures the AuthorizationEndpoint : /oauth/authorize. Since your authorization server works, you already have a configuration class extending WebSecurityConfigurerAdapter that handles the security for /oauth/authorize with formLogin. That's where you need to integrate social stuff.

Instead of using the Spring Security built-in form authentication mechanism, you will have to plug-in your own security that either allows the user to login with a form, or starts SSO with other providers. Spring Security is made of a bunch of abstractions, but it really just comes down to populating the SecurityContext with an Authentication object for each request.

Once the authentication process is complete, the user will continue to /oauth/authorize, consent to the client accessing some scopes, and the token will be delivered as it's usually done, without you having to generate tokens programmatically.

I have done that using SAML (Spring Security SAML extension), but in your case you should dig in the Spring Social projects, which seem to support all the major social networks out of the box. The good news is that you already have a bunch of tools available, the "bad news" is that you will have to understand how they work to a certain degree in order to plug them together.

Question:

OK so I've been pulling my hair for ages now (at least so it seems!) trying to figure out what i'm doing wrong: I have a Java project in which I want to allow users who log in (via normal Spring-Security JDBC enabled repository) to grant access to their Twitter account to my application. I have registered an app with Twitter etc and have secret and access keys and everything else required to test, however, despite all the docco's read and all the configurations tried, even though my spring config creates a ConnectController, whenever I hit the /connect/twitter I get a 404 (not found) though there is absolutely no error generated during the context coming up in Tomcat and everything else works fine (i.e all my beans get instantianted and all the views / controllers work etc).

To my understanding -- though I do struggle with the Spring Social docco, even more so as a few of the examples shown only work on specific versions! -- simply instantiating this controller should take care of the rest -- but perhaps I'm wrong???

Here's what my config looks like -- yes it's a bit allover the place:

/WEB-INF/web.xml

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
    <display-name>legototies</display-name>
    <servlet>
        <servlet-name>legototies</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>legototies</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <!-- allow robots.txt -->
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>*.txt</url-pattern>
    </servlet-mapping>

    <!-- allow favicon.ico -->
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>*.ico</url-pattern>
    </servlet-mapping>

    <!-- allow everything under /static/ -->
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/static/*</url-pattern>
    </servlet-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/applicationContext.xml,
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <!-- Spring Security -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app>

/WEB-INF/legototies-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">

    <context:component-scan base-package="com.lt" />

    <bean id="viewResolver"
        class="org.springframework.web.servlet.view.InternalResourceViewResolver" p:order="1">
        <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
        <property name="prefix" value="/WEB-INF/jsp/" />
        <property name="suffix" value=".jsp" />
    </bean>
    <bean id="tilesviewResolver" class="org.springframework.web.servlet.view.tiles2.TilesViewResolver" p:order="0"/>

    <bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles2.TilesConfigurer">
        <property name="definitions">
            <list>
                <value>/WEB-INF/tiles.xml</value>
            </list>
        </property>
    </bean>

</beans>

/WEB-INF/applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:task="http://www.springframework.org/schema/task"
    xmlns:twitter="http://www.springframework.org/schema/social/twitter"
    xmlns:social="http://www.springframework.org/schema/social"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
       http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.2.xsd
       http://www.springframework.org/schema/social/twitter http://www.springframework.org/schema/social/spring-social-twitter.xsd
       http://www.springframework.org/schema/social http://www.springframework.org/schema/social/spring-social-1.1.xsd">

    <!-- **** BEGIN: Config files **** -->
    <bean
        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="locations">
            <list>
                <value>classpath*:config/*.properties</value>
            </list>
        </property>
        <property name="ignoreResourceNotFound" value="true" />
    </bean>
    <!-- **** END: Config files **** -->

    <context:component-scan base-package="com.lt" />


    <!-- **** BEGIN: Database **** -->
    <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
        destroy-method="close">
        <property name="driverClassName" value="${database.driverClassName}" />
        <property name="url" value="${database.url}" />
        <property name="username" value="${database.username}" />
        <property name="password" value="${database.password}" />
        <property name="initialSize" value="${database.initial.size}" />
        <property name="maxActive" value="${database.max.active}" />
    </bean>
    <bean id="localJdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">
        <constructor-arg>
            <ref bean="dataSource" />
        </constructor-arg>
    </bean>

    <bean id="txManager"
        class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
        <property name="dataSource" ref="dataSource" />
    </bean>

    <bean id="sessionFactory"
        class="org.springframework.orm.hibernate3.LocalSessionFactoryBean">
        <property name="configLocation">
            <value>classpath:hibernate.cfg.xml</value>
        </property>
    </bean>
    <!-- **** END: Database **** -->


    <bean id="messageAssembler" class="com.lt.message.MessageAssembler" />


    <!-- **** BEGIN: Scheduler **** -->
    <!-- Tasks -->
    <bean id="createTweetsScheduler" class="com.lt.scheduller.CreateTweetsScheduler">
        <constructor-arg index="0" ref="sessionFactory" />
        <constructor-arg index="1" ref="execSendTweet" />
        <constructor-arg index="2" ref="messageAssembler" />
    </bean>
    <bean id="bookScrapingNeededTask" class="com.lt.scheduller.BooksScrapingNeededCheckTask">
        <constructor-arg index="0" ref="sessionFactory" />
        <constructor-arg index="1" ref="execPageScraping" />
        <constructor-arg index="2" value="${shefari.htmlpath}" />
    </bean>

    <!-- Schedulers -->
    <task:executor id="execPageScraping" pool-size="${page.scrape.threadpool.size}" />
    <task:executor id="execSendTweet" pool-size="${broadcastTweets.threadpool.size}" />

    <task:scheduler id="mainScheduler" pool-size="${mainScheduler.size}" />
    <task:scheduled-tasks scheduler="mainScheduler">
        <task:scheduled ref="createTweetsScheduler" method="run"
            fixed-rate="${selectTweets.period.ms}" initial-delay="${selectTweets.initial.delay.ms}" />
        <task:scheduled ref="bookScrapingNeededTask" method="run"
            fixed-rate="${page.scrape.check.period.ms}" initial-delay="${page.scrape.check.initial.delay.ms}" />
    </task:scheduled-tasks>
    <!-- **** END: Scheduler **** -->


    <bean id="textEncryptor" class="org.springframework.security.crypto.encrypt.Encryptors"
        factory-method="noOpText" />
    <bean id="passwordEncoder"
        class="org.springframework.security.crypto.password.NoOpPasswordEncoder"
        factory-method="getInstance" />


    <!-- **** BEGIN: twitter/social **** -->
    <social:jdbc-connection-repository />
    <twitter:config app-id="${twitter.app.consumer.key}"
        app-secret="${twitter.app.consumer.secret}" />
    <bean id="userIdSource"
        class="org.springframework.social.security.AuthenticationNameUserIdSource" />
    <bean id="connectController"
        class="org.springframework.social.connect.web.ConnectController">
        <property name="connectInterceptors">
            <list>
                <bean class="com.lt.utils.TweetAfterConnectInterceptor">
                    <constructor-arg index="0" value="${twitter.app.connect.msg}" />
                </bean>
            </list>
        </property>
        <property name="applicationUrl" value="http://localhost:8080/" />
    </bean>
    <!-- **** END: twitter/social **** -->
</beans>

/WEB-INF/spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <global-method-security secured-annotations="enabled" />

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/static/**" access="permitAll" />
        <intercept-url pattern="/home" access="permitAll" />
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"

           users-by-username-query="select username,password, enabled from users where username=?" 

           authorities-by-username-query="select u.username, ur.authority from users u, user_roles ur 
              where u.id = ur.user_id and u.username =?  " 

            />
        </authentication-provider>
    </authentication-manager>
</beans:beans>

I'm not including here /WEB-INF/tiles.xml as I don't think it's relevant -- it just defines some basic templates.

Lastly, this is the project pom.xml -- please note that I'm using the latest spring social milestone (M4):

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>liviutudor</groupId>
    <artifactId>legototies</artifactId>
    <packaging>war</packaging>
    <version>1.0.0-SNAPSHOT</version>
    <name>legototies</name>
    <inceptionYear>2013</inceptionYear>
    <description>This is "lego toties"</description>
    <url>http://legototies.com</url>
    <developers>
        <developer>
            <name>Liviu Tudor</name>
            <id>liviut</id>
            <email>me at liviutudor.com</email>
        </developer>
    </developers>
    <repositories>
        <repository>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
            <id>central</id>
            <name>Maven Repository Switchboard</name>
            <url>http://repo1.maven.org/maven2</url>
        </repository>
        <repository>
            <id>spring-snapshots</id>
            <name>Spring Snapshots</name>
            <url>http://repo.spring.io/snapshot</url>
            <snapshots>
                <enabled>true</enabled>
            </snapshots>
        </repository>
        <repository>
            <id>spring-milestones</id>
            <name>Spring Milestones</name>
            <url>http://repo.spring.io/milestone</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>

    <properties>
        <project.build.jdkVersion>1.6</project.build.jdkVersion>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

        <hibernate.version>3.6.10.Final</hibernate.version>
        <jsoup.version>1.7.2</jsoup.version>
        <junit.version>4.10</junit.version>
        <spring.version>3.2.3.RELEASE</spring.version>
        <spring.social.version>1.1.0.M4</spring.social.version>
        <spring.security.version>3.1.4.RELEASE</spring.security.version>
        <tiles.version>2.2.2</tiles.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>2.5</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <version>1.2</version>
        </dependency>

        <!-- Spring -->
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-core</artifactId>
            <version>${spring.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-aop</artifactId>
            <version>${spring.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>commons-logging</groupId>
                    <artifactId>commons-logging</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-jdbc</artifactId>
            <version>${spring.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-orm</artifactId>
            <version>${spring.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-web</artifactId>
            <version>${spring.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>${spring.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>commons-logging</groupId>
                    <artifactId>commons-logging</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-context</artifactId>
            <version>${spring.version}</version>
        </dependency>

        <!-- Spring security -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency> <!-- needed by spring social twitter -->
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-crypto</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <!-- Spring Social -->
        <dependency>
            <groupId>org.springframework.social</groupId>
            <artifactId>spring-social-twitter</artifactId>
            <version>${spring.social.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.social</groupId>
            <artifactId>spring-social-web</artifactId>
            <version>${spring.social.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.social</groupId>
            <artifactId>spring-social-security</artifactId>
            <version>${spring.social.version}</version>
        </dependency>

        <!-- Hibernate -->
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-core</artifactId>
            <version>${hibernate.version}</version>
        </dependency>
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-entitymanager</artifactId>
            <version>${hibernate.version}</version>
        </dependency>
        <dependency>
            <groupId>org.hibernate.javax.persistence</groupId>
            <artifactId>hibernate-jpa-2.0-api</artifactId>
            <version>1.0.0.Final</version>
        </dependency>
        <!-- this is needed for hibernate -->
        <dependency>
            <groupId>javassist</groupId>
            <artifactId>javassist</artifactId>
            <version>3.12.0.GA</version>
        </dependency>

        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.0.5</version>
        </dependency>

        <dependency>
            <groupId>commons-dbcp</groupId>
            <artifactId>commons-dbcp</artifactId>
            <version>1.4</version>
        </dependency>

        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-lang3</artifactId>
            <version>3.1</version>
        </dependency>

        <dependency>
            <groupId>org.jsoup</groupId>
            <artifactId>jsoup</artifactId>
            <version>${jsoup.version}</version>
        </dependency>

        <dependency>
            <groupId>org.apache.tiles</groupId>
            <artifactId>tiles-extras</artifactId>
            <version>${tiles.version}</version>
        </dependency>

        <!-- Test dependencies -->
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>${junit.version}</version>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-test</artifactId>
            <version>${spring.version}</version>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <finalName>legototies</finalName>
        <defaultGoal>install</defaultGoal>
        <resources>
            <resource>
                <filtering>false</filtering>
                <directory>src/main/java</directory>
                <includes>
                    <include>**/*.properties</include>
                    <include>**/*.xml</include>
                </includes>
            </resource>
            <resource>
                <filtering>false</filtering>
                <directory>src/main/resources</directory>
                <includes>
                    <include>**/*.properties</include>
                    <include>**/*.xml</include>
                </includes>
            </resource>
        </resources>
        <plugins>
            <plugin>
                <artifactId>maven-compiler-plugin</artifactId>
                <configuration>
                    <source>${project.build.jdkVersion}</source>
                    <target>${project.build.jdkVersion}</target>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-resources-plugin</artifactId>
                <configuration>
                    <encoding>${project.build.sourceEncoding}</encoding>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>

As I said everything works just fine, however, given the above, even though there is a ConnectController defined, the /connect/twitter (or any other /connect/... URL) returns 404 not found. What am I missing?

Update: Logging segment regarding the connect controller

5148 [main] INFO org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Mapped "{[/connect/{providerId}],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.connect(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
5148 [main] INFO org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Mapped "{[/connect/{providerId}],methods=[DELETE],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.removeConnections(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
5148 [main] INFO org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Mapped "{[/connect/{providerId}/{providerUserId}],methods=[DELETE],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.removeConnection(java.lang.String,java.lang.String,org.springframework.web.context.request.NativeWebRequest)
5149 [main] INFO org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Mapped "{[/connect/{providerId}],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String org.springframework.social.connect.web.ConnectController.connectionStatus(java.lang.String,org.springframework.web.context.request.NativeWebRequest,org.springframework.ui.Model)
5150 [main] INFO org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Mapped "{[/connect],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String org.springframework.social.connect.web.ConnectController.connectionStatus(org.springframework.web.context.request.NativeWebRequest,org.springframework.ui.Model)
5150 [main] INFO org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Mapped "{[/connect/{providerId}],methods=[GET],params=[oauth_token],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.oauth1Callback(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
5151 [main] INFO org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Mapped "{[/connect/{providerId}],methods=[GET],params=[code],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.oauth2Callback(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
5152 [main] INFO org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Mapped "{[/connect/{providerId}],methods=[GET],params=[error],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.oauth2ErrorCallback(java.lang.String,java.lang.String,java.lang.String,java.lang.String,org.springframework.web.context.request.NativeWebRequest)

Answer:

Your ConnectController is in the wrong configuration file. You should move it to the legototies-servlet.xml.

The used HandlerMapping implementations only detect (@)Controller beans in the local context (the one loaded by the DispatcherServlet) NOT in the parent context (loaded by the ContextLoaderListener). So your ConnectController is configured but isn't doing anything because it isn't detected.

There is also another problem with your configuration, you are loading all the beans twice. This is due to the way you have configured component scanning. In both configuration files there is a <context:component-scan base-package="com.lt" /> which basically duplicates all beans. In general you should configure the DispatcherServlet to load only @Controllers and the ContextLoaderListener to load everything BUT @Controllers.

<context:component-scan base-package="com.lt">
    <context:exclude-filter type="annotation" value="org.springframework.stereotype.Controller" />
</context:component-scan>

and for the DispatcherServlet

<context:component-scan base-package="com.lt" use-default-filters="false">
    <context:include-filter type="annotation" value="org.springframework.stereotype.Controller" />
</context:component-scan>

And at first glance you also have an error in your database configuration. You are using hibernate but have configured a DataSourceTransactionManager whereas you should configure a HibernateTransactionManager. The latter is perfectly capable of controlling plain JDBC transactions.

Question:

I am trying to use spring social for my REST services and my mobile app.

I wonder what the best approach is.

I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.

My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.

On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.

As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/

Seems like it required the "Proof Key for Code Exchange" flow as stated in: https://auth0.com/docs/api-auth/grant/authorization-code-pkce

Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.

Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!


Answer:

One possible way would be

  1. The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
  2. The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
  3. The backend service could do additional work about the user details (for example, link with existing users).
  4. The backend service returns a JWT token to the mobile app, which ends the SSO.

The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).

The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.

The flow is summarized in the following drawing:

======== Edited:

We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.

Discussion is welcomed.

Question:

I am trying to use Spring Social on my application and I noticed while debugging that the original 'OAuth2' state parameter is always null on my app.

See Spring Social source code for org.springframework.social.connect.web.ConnectSupport below:

private void verifyStateParameter(NativeWebRequest request) {
    String state = request.getParameter("state");
    String originalState = extractCachedOAuth2State(request);//Always null...
    if (state == null || !state.equals(originalState)) {
        throw new IllegalStateException("The OAuth2 'state' parameter is missing or doesn't match.");
    }
}

private String extractCachedOAuth2State(WebRequest request) {
    String state = (String) sessionStrategy.getAttribute(request, OAUTH2_STATE_ATTRIBUTE);
    sessionStrategy.removeAttribute(request, OAUTH2_STATE_ATTRIBUTE);
    return state;       
}

Can anyone please help?

edit: I do see the state parameter being passed back by facebook:

Request URL:https://www.facebook.com/v2.5/dialog/oauth?client_id=414113641982912&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fconnect%2Ffacebook&scope=public_profile&state=0b7a97b5-b8d1-4f97-9b60-e3242c9c7eb9
Request Method:GET
Status Code:302 
Remote Address:179.60.192.36:443

edit 2: By the way, the exception I get is the following:

Exception while handling OAuth2 callback (The OAuth2 'state' parameter is missing or doesn't match.). Redirecting to facebook connection status page.

Answer:

It turned out that the issue was caused by the fact that I was relying on headers - as opposed to cookies - to manage the session.

By commenting out the following spring session configuration bean:

@Bean
public HttpSessionStrategy sessionStrategy(){
    return new HeaderHttpSessionStrategy();
}

The oauth2 state parameter issue was sorted.

P.S. Now I have got to find a way to get Spring Social to work with my current configuration of Spring Session...

Edit: I managed to keep the HeaderHttpSessionStrategy (on the spring session side) and get it to work by implementing my own SessionStrategy (on the spring social side) as follows:

public class CustomSessionStrategy implements SessionStrategy {

    public void setAttribute(RequestAttributes request, String name, Object value) {
        request.setAttribute(name, value, RequestAttributes.SCOPE_SESSION);
    }

    public Object getAttribute(RequestAttributes request, String name) {
        ServletWebRequest servletWebRequest = (ServletWebRequest) request;
        return servletWebRequest.getParameter(name);
    }

    public void removeAttribute(RequestAttributes request, String name) {
        request.removeAttribute(name, RequestAttributes.SCOPE_SESSION);
    }
}

Question:

I am new to spring-social framework and trying to implement the login functionality for my portal using spring-social. I read the documentation but i am still a little confused. Both controllers are used to establish a connection with the service provider? Is there any advantage of using ProviderSigninController over ConnectController or vice versa? What are the advantages?


Answer:

The difference is in the results:

  1. After using ConnectController you will have an OAuth2 access token to interact with a provider on behalf of a user.
  2. After using ProviderSigninController you will have the same things + user will be signed into your application using local account (linked to OAuth credentials). If corresponding local account does not exists before this step then it may be created too.

So for example if you want 'Sign in with Twitter' button then ProviderSigninController better fit your needs.

Question:

In my Spring Boot application with RESTful webservices I have configured Spring Security together with Spring Social and SpringSocialConfigurer.

Right now I have two ways of authentication/authorization - via username/password and via social networks for example like Twitter.

In order to implement authentication/authorization via my own RESTful endpoint in my Spring MVC REST controller I have added following method:

@RequestMapping(value = "/login", method = RequestMethod.POST)
public Authentication login(@RequestBody LoginUserRequest userRequest) {
    Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(userRequest.getUsername(), userRequest.getPassword()));
    boolean isAuthenticated = isAuthenticated(authentication);
    if (isAuthenticated) {
        SecurityContextHolder.getContext().setAuthentication(authentication);
    }
    return authentication;
}

private boolean isAuthenticated(Authentication authentication) {
    return authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated();
}

but I'm not sure what exactly must be returned to client after successfull /login endpoint call. I think returning of full authentication object is redundant.

What should be returned to client in case of successfull authentication ?

Could you please tell me how to correctly implement this login method ?

Also, in case of RESTfull login I'll have UsernamePasswordAuthenticationToken and in case of login through Twitter I'll have SocialAuthenticationToken Is it okay to have different tokens in a same application ?


Answer:

You can configure what to return on successful authentication by overriding methods in SimpleUrlAuthenticationSuccessHandler


public class CustomAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    public CustomAuthenticationSuccessHandler() {
        super();
        setRedirectStrategy(new NoRedirectStrategy());
    }

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {

        super.onAuthenticationSuccess(request, response, authentication);
        ObjectMapper mapper = new ObjectMapper();

        response.setContentType("application/json;charset=UTF-8");
        response.getWriter().print(mapper.writeValueAsString(objectToBereturned);
        response.getWriter().flush();
    }

    protected class NoRedirectStrategy implements RedirectStrategy {

        @Override
        public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url)
                throws IOException {
            // any redirect if required. leave the implementation black if not needed
        }

    }
}

Additionally you can also handle the failure response:


public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }
}