实施社交媒体登录春季安全

时间:2016-01-14 12:06:57

标签: java spring facebook spring-mvc spring-security

我正在使用Spring 3和spring security。我正在整合社交帐户,例如:Facebook,Twitter和Google。我正在使用javascript sdk版本,但我的问题是我可以注册用户,但我不确定如何验证它们。

例如:

当用户点击任何链接(Facebook,Twitter,Google)后,在成功通过身份验证后会打开新对话框,我可以获取他们的基本个人资料详细信息:电子邮件,身份证,姓名,图片,我将所有这些信息传递给我的控制器如果用户尚未注册,则使用调用service和dao的ajax来保存用户。

直到这里一切都对我很好。我使用用户ID并使用salt加密它们并将其作为密码保存到数据库中(我不确定这是否是一种正确的处理方式)但现在我的困惑是如何验证用户并允许它们登录系统。

我的security.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!-- Configuration for master level user login -->
    <http auto-config="true" use-expressions="true"
        disable-url-rewriting="true">
        <!-- <csrf /> -->
        <headers>
            <cache-control />
            <content-type-options />
            <hsts />
            <frame-options />
            <xss-protection />
        </headers>
        <!-- requires-channel="https" -->
        <intercept-url pattern="/favicon.ico" access="permitAll" />
        <intercept-url pattern="/login*" access="permitAll" />
        <intercept-url pattern="/login/facebook-login*" access="permitAll" />
        <intercept-url pattern="/validateUserCredentials*"
            access="permitAll" />
        <intercept-url pattern="/register*" access="permitAll" />
        <intercept-url pattern="/activation*" access="permitAll" />
        <intercept-url pattern="/restore*" access="permitAll" />
        <intercept-url pattern="/resend*" access="permitAll" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/license*"
            access="hasAnyRole('${role.admin}', '${role.master}')" />
        <intercept-url pattern="/**"
            access="hasAnyRole('${role.admin}', '${role.master}', '${role.owner}', '${role.simple}')" />
        <access-denied-handler error-page="/denied" />
        <form-login login-page="/login" default-target-url="/logged"
            authentication-failure-url="/loginfailed" login-processing-url="/j_spring_security_check" />
        <logout logout-success-url="/login" invalidate-session="true"
            delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE" />
        <session-management session-fixation-protection="migrateSession">
            <concurrency-control error-if-maximum-exceeded="true"
                max-sessions="1" expired-url="/login" />
        </session-management>
        <remember-me token-validity-seconds="86400" />
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="daoAuthenticationProvider" />
    </authentication-manager>

    <beans:bean id="daoAuthenticationProvider"
        class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="userDetailsService" />
        <beans:property name="saltSource" ref="saltSource" />
        <beans:property name="passwordEncoder" ref="passwordEncoder" />
    </beans:bean>

    <beans:bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />

    <beans:bean id="saltSource"
        class="org.springframework.security.authentication.dao.ReflectionSaltSource">
        <beans:property name="userPropertyToUse" value="salt" />
    </beans:bean>

    <beans:bean id="userDetailsService" name="userAuthenticationProvider"
        class="com.luffy.security.AuthenticationUserDetailService">
    </beans:bean>
</beans:beans>

任何帮助将不胜感激。我尽我所能来解决这个问题,但我无法找到任何可靠的解决方案。

1 个答案:

答案 0 :(得分:1)

假设您正在实施Facebook身份验证。

解决方案(1):

在Facebook成功回复后,您可以调用服务器API以使用Facebook用户凭据(例如用户名/电子邮件和OAuth access_token)更新身份验证表。 

$.post('api/fblogin', {access_token: accessToken}, function(response) {});

解决方案(2): 自定义安全处理程序。在这里,您可以向Facebook发起自定义HTTP请求,并在成功完成后允许用户访问该站点。 

import java.util.*;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.*;
import org.springframework.security.core.*;
import org.springframework.stereotype.Component;
import com.restfb.*;;

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
    private @Autowired HttpServletRequest request;

    @Override
    public Authentication authenticate(Authentication authentication) {
        String fb_access_token = String.valueOf(request.getParameter("fb_access_token"));

        //fb user
        Authentication auth = null;
        try {
            FacebookClient fbClient = new DefaultFacebookClient(fb_access_token);
            User user = fbClient.fetchObject("me",com.restfb.types.User.class);
            String email = user.getEmail();
            String gender = user.getGender();
            String pic = "http://graph.facebook.com/" + user.getId() + "/picture?type=normal"; 
            //Your DB implementation

        } catch (Exception e) {
            throw new FacebookOAuthException("FB","OAuth",5002, null, null, "", "");
        }       
    }
}

弹簧security.xml文件

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
        <authentication-provider ref="customAuthenticationProvider" >
        </authentication-provider>
</authentication-manager>

<bean id="customAuthenticationProvider" class="com.mi.common.CustomAuthenticationProvider"/>
相关问题
最新问题