我正在使用Spring 3和spring security。我正在整合社交帐户,例如:Facebook,Twitter和Google。我正在使用javascript sdk版本,但我的问题是我可以注册用户,但我不确定如何验证它们。
例如:
当用户点击任何链接(Facebook,Twitter,Google)后,在成功通过身份验证后会打开新对话框,我可以获取他们的基本个人资料详细信息:电子邮件,身份证,姓名,图片,我将所有这些信息传递给我的控制器如果用户尚未注册,则使用调用service和dao的ajax来保存用户。
直到这里一切都对我很好。我使用用户ID并使用salt加密它们并将其作为密码保存到数据库中(我不确定这是否是一种正确的处理方式)但现在我的困惑是如何验证用户并允许它们登录系统。
我的security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Configuration for master level user login -->
<http auto-config="true" use-expressions="true"
disable-url-rewriting="true">
<!-- <csrf /> -->
<headers>
<cache-control />
<content-type-options />
<hsts />
<frame-options />
<xss-protection />
</headers>
<!-- requires-channel="https" -->
<intercept-url pattern="/favicon.ico" access="permitAll" />
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/login/facebook-login*" access="permitAll" />
<intercept-url pattern="/validateUserCredentials*"
access="permitAll" />
<intercept-url pattern="/register*" access="permitAll" />
<intercept-url pattern="/activation*" access="permitAll" />
<intercept-url pattern="/restore*" access="permitAll" />
<intercept-url pattern="/resend*" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/license*"
access="hasAnyRole('${role.admin}', '${role.master}')" />
<intercept-url pattern="/**"
access="hasAnyRole('${role.admin}', '${role.master}', '${role.owner}', '${role.simple}')" />
<access-denied-handler error-page="/denied" />
<form-login login-page="/login" default-target-url="/logged"
authentication-failure-url="/loginfailed" login-processing-url="/j_spring_security_check" />
<logout logout-success-url="/login" invalidate-session="true"
delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE" />
<session-management session-fixation-protection="migrateSession">
<concurrency-control error-if-maximum-exceeded="true"
max-sessions="1" expired-url="/login" />
</session-management>
<remember-me token-validity-seconds="86400" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="saltSource" ref="saltSource" />
<beans:property name="passwordEncoder" ref="passwordEncoder" />
</beans:bean>
<beans:bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
<beans:bean id="saltSource"
class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="salt" />
</beans:bean>
<beans:bean id="userDetailsService" name="userAuthenticationProvider"
class="com.luffy.security.AuthenticationUserDetailService">
</beans:bean>
</beans:beans>
任何帮助将不胜感激。我尽我所能来解决这个问题,但我无法找到任何可靠的解决方案。
答案 0 :(得分:1)
假设您正在实施Facebook身份验证。
解决方案(1):
在Facebook成功回复后,您可以调用服务器API以使用Facebook用户凭据(例如用户名/电子邮件和OAuth access_token)更新身份验证表。
$.post('api/fblogin', {access_token: accessToken}, function(response) {});
解决方案(2): 自定义安全处理程序。在这里,您可以向Facebook发起自定义HTTP请求,并在成功完成后允许用户访问该站点。
import java.util.*;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.*;
import org.springframework.security.core.*;
import org.springframework.stereotype.Component;
import com.restfb.*;;
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
private @Autowired HttpServletRequest request;
@Override
public Authentication authenticate(Authentication authentication) {
String fb_access_token = String.valueOf(request.getParameter("fb_access_token"));
//fb user
Authentication auth = null;
try {
FacebookClient fbClient = new DefaultFacebookClient(fb_access_token);
User user = fbClient.fetchObject("me",com.restfb.types.User.class);
String email = user.getEmail();
String gender = user.getGender();
String pic = "http://graph.facebook.com/" + user.getId() + "/picture?type=normal";
//Your DB implementation
} catch (Exception e) {
throw new FacebookOAuthException("FB","OAuth",5002, null, null, "", "");
}
}
}
弹簧security.xml文件
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthenticationProvider" >
</authentication-provider>
</authentication-manager>
<bean id="customAuthenticationProvider" class="com.mi.common.CustomAuthenticationProvider"/>