Spring security social and Stormpath users repository

Prerequisites

This tutorial assumes that you have already created the Facebook and Google applications used by the example application. You can create these applications by following links:

Requirements

The requirements of our solution are the following:

  • It must be possible to login by using username and password Stormpath user’s repository.
  • The application must support Facebook and Google OAuth2 authentication.

Getting the Required Dependencies with Maven

The first thing that we have to do is to get the required dependencies with Maven. We can do this by declaring the following dependencies in our POM file:

  • Spring Security (version 3.2.0.RELEASE).
    • The core module contains core authentication and and access control components.
    • The config module contains the code used to parse XML configuration files using the Spring Security XML namespace.
    • The taglibs module contains the Spring Security JPS tag libraries.
    • The web module contains filters and all other code related to web security.
  • Apache HttpClient (version 4.3.2). Apache HttpClient is an optional dependency (but recommended) dependency of Spring Social. If it is present, Spring Social will use it as a HTTP client. If not, Spring social will use the standard Java SE components.
  • Spring Social (version 1.1.0.RELEASE).
    • The config module contains the code used to parse XML configuration files using the Spring Social XML namespace. It also adds support for Java Configuration of Spring Social.
    • The core module contains the connect framework and provides support for OAuth clients.
    • The security module integrates Spring Security with Spring Social. It delegates the authentication concerns typically taken care by Spring Security to service providers by using Spring Social.
    • The web module contains components which handle the authentication handshake between our web application and the service provider.
  • Spring Social Facebook (version 1.1.0.RELEASE) is an extension to Spring Social and it provides Facebook integration.
  • Spring Social Google (version 1.0.0.RELEASE) is an extension to Spring Social which provides Google integration.
  • Stormpath SDK core module
    • Stormpath SDK api module (version 1.0.RC2) provides core framework.
    • Stormpath http client module (version 1.0.RC2) provides connect framework.
    • Stormpath spring security module (version 0.3.0) is an extension of spring security which provides Stormpath integration.

The relevant part of the pom.xml file looks as follows:

Creating the User Password Stormpath Authentication

Stormpath user authentication implementation is based on Stormpath spring security exampleThe full source code available for downloading here.

We have to create six components which are used during the authentication process. These components are:

  • We have create a class which contains application restful methods MainController.
  • We have to create a class which provide authority resolver GroupRoleGrantedAuthorityResolver. This class is used to determine whether or not authorized user is permitted to do something. It tryes to resolve role name by stormpath group name.
  • We have to create a class which implements the AccountBean. This class is used to hold user information.
  • We have to create a class which implements the CustomDataBean. This class is used to hold custom data user information.
  • We have to create a class which implements the CustomDataFieldBean. This class is used to hold custom data key/value data couple.
  • We have to create a class which implements the CustomDataManager. This class is used to create, read, store and delete custom data fields in Stormpath. Current implementation of CustomDataManager just read custom data from the Stormpath.

The content of the application restful methods MainController class looks as follows:

The content of the authority resolver class looks as follows:

The content of the account bean class with out getter and setter methods looks as follows:

The implementation of the custom data field’s holder looks as follows:

The content of the custom data key/value pair holder is very simple and looks as follows:

The content of the custom data manager looks as follows:

Creating the Social Stormpath Authentication

We are going to use the spring social authentication solutions and Stormpath spring authentication solution. The full source code available for downloading here.

Stormpath social authentication implementation based on Integrating Stormpath with Facebook and Google and  Social Login: Facebook & Google in One API Call descriptions.

According the description we have to implement the following steps:

  1. Create a Facebook or Google Directory in Stormpath to mirror social accounts.
  2. Assign the created directory to our application in Stormpath.
  3. Populate our directory with social accounts from Google or Facebook using the application’s accounts endpoint.

We have to create eight components which are used during the social authentication process. These components are:

  • We have to create a class which implements creation Stormpath social directories and assign created directory to our Stormpath application. This class ensures existent of the Facebook and Google Stormpath directories. If not it creates Facebook and Google Stormpath directories with provided Facebook and Google application id and secret.
  • We have to create a class which perform social authentication in the Stormpath.
  • We have to create a class which can build social user id by social connection data.
  • We have to create a helper locator class to locate Stormpath ProviderRequestFactory. This class is used to provide a builder to generate an attempt to create data in the Provider-based directory in Stormpath.
  • We have to create a class which holds Stormpath user details data and social user details data.
  • We have to create a class which allows to locate Stormpath user data by social user profile data.
  • We have to create a helper class which defines provider names.
  • We have to create a class which extends failure redirect URL with additional social provider URL parameters.

The content of the class which create Stormpath social directories looks as follows:

The content of the class which implements Stormpath social user authentication looks as follows:

The content of the class which can build social user id by social connection data looks as follows:

The content of the class which can locate Stormpath ProviderRequestFactor looks as follows:

The content of the class which hold Stormpath user details data and social user details data looks as follows:

The content of the class which allow locating Stormpath user data by social user profile data looks as follows:

The content of the helper enum class which define authentication provider name strings looks as follows:

The content of the class which implements failure redirect strategy looks as follows:

Application Configuration

We are going to configure the following systems:

  • Application property files.
  • Spring beans and security.
  • Facebook and Google applications.

Creating the Properties File

We have to create the properties file by following steps:

  1. Create a file called apiKey.properties Stormpath security keys file and ensure that it will accessible from the deployed application.
  2. Create a file called local.properties – localhost application settings and ensure that it is placed in to the src “<source app home>/main/filters” folder.
  3. Add the Facebook application id and application secret to the properties file.
  4. Add the Google consumer key and consumer secret to the properties file.

The content of the apiKey.properties file looks as follows:

The content of the local.properties file looks as follows:

Creating the Spring Configuration

The spring configuration implemented as a xml configuration.

The Stormpath client settings and cached beans defined in the root-context.xml:

Spring security configuration defined in the spring-security.xml file:

Creating the Social Configuration

Facebook application configuration looks as follows:

fb-settings-edited

Google application configuration looks as follows:

google-credentials-edited

Google application permissions looks as follows:

google-permisions-edited

 

Test Application

The application does not implement users sign up. Before testing we should create three Stormpath components. These components are:

  • Stormpath directory with name “My Application Directory”.
  • Strompath group with name “ROLE_USER” .
  • Create account for test and add this account to the “My Application Directory” directory and to the “ROLE_USER” group.

Account should  has email, user name and password. The Stormpath account email should match to Facebook and Google accounts.

The content of login page looks as follows:

login-page

The html of login page looks as follows:

The content of secured page looks as follows:

secured-page

 

The source code for downloading available here:  spring-social-security-stormpath-src.zip.