Spring社交身份验证过滤器,用于使用Facebook令牌进行身份验证的无状态REST端点

时间:2016-03-10 08:58:03

标签: spring facebook rest spring-security spring-social-facebook

我想使用Facebook Tokens使用Spring Security验证我的REST后端。能否详细说明如何将此安全性集成到我的Spring应用程序中。

我想使用与Spring Social Security相同的用户管理。 UserConnection表和本地用户表。

1 个答案:

答案 0 :(得分:10)

您可以从以下网址下载代码示例:

https://github.com/ozgengunay/FBSpringSocialRESTAuth

我们一直在寻找一种“Spring”解决方案,该解决方案使用REST客户端已拥有的Facebook OAuth令牌来保护我们的REST后端。例如:您有一个移动应用程序,其中Facebook Connect SDK在应用程序本身中实现,另一方面,您有一个提供REST API的后端。您希望使用Facebook OAuth令牌验证REST API调用。解决方案实现了这种情况。

不幸的是,Spring Social Security Framework仅保护您的有状态HTTP请求,而不是无状态REST后端。

这是Spring社交安全框架的扩展,它由一个组件组成:FacebookTokenAuthenticationFilter。此过滤器拦截所有REST调用。客户端应该在URL中将Facebook OAuth令牌作为“input_token”参数发送到每个请求中,因为REST API本质上是无用的。过滤器查找此标记并通过“debug_token”Graph Api调用对其进行验证。如果验证了令牌,则过滤器会尝试将用户与本地用户管理系统进行匹配。如果尚未注册此类用户,则过滤器将用户注册为新用户。

如果您还拥有REST API以外的服务(如Web后端),则可以将此过滤器与Spring Social Security的标准SocialAuthenticationFilter一起使用。所以你可以使用相同的用户管理系统。

1)在MYSQL中创建用户表:

CREATE TABLE IF NOT EXISTS `user` (
  `id` varchar(50) NOT NULL,
  `email` varchar(255) NOT NULL COMMENT 'unique',
  `first_name` varchar(255) NOT NULL,
  `last_name` varchar(255) NOT NULL,
  `password` varchar(255) DEFAULT NULL,
  `role` varchar(255) NOT NULL,
  `sign_in_provider` varchar(20) DEFAULT NULL,
  `creation_time` datetime NOT NULL,
  `modification_time` datetime NOT NULL,
  `status` varchar(20) NOT NULL COMMENT 'not used',
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`)
);

2)在context.xml中配置数据源:

tomcat中的

context.xml:

<Resource auth="Container" driverClassName="com.mysql.jdbc.Driver" maxActive="100" maxIdle="30" maxWait="10000" 
name="jdbc/thingabled" password="..." type="javax.sql.DataSource" url="jdbc:mysql://localhost:3306/..." username="..."/>

3)Spring配置:我们配置spring security来拦截以FacebookTokenAuthenticationFilter为“protected”开头的URL进行身份验证。授权将由“ROLE_USER_REST_MOBILE”角色完成。

<security:http use-expressions="true" pattern="/protected/**"
create-session="never" entry-point-ref="forbiddenEntryPoint">
  <security:intercept-url pattern="/**"
  access="hasRole('ROLE_USER_REST_MOBILE')" />
<!-- Adds social authentication filter to the Spring Security filter chain. -->
  <security:custom-filter ref="facebookTokenAuthenticationFilter"
  before="FORM_LOGIN_FILTER" />
</security:http>


<bean id="facebookTokenAuthenticationFilter"
class="com.ozgen.server.security.oauth.FacebookTokenAuthenticationFilter">
  <constructor-arg index="0" ref="authenticationManager" />
  <constructor-arg index="1" ref="userIdSource" />
  <constructor-arg index="2" ref="usersConnectionRepository" />
  <constructor-arg index="3" ref="connectionFactoryLocator" />
</bean>

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider
  ref="socialAuthenticationProvider" />
</security:authentication-manager>

<!-- Configures the social authentication provider which processes authentication 
requests made by using social authentication service (FB). -->
<bean id="socialAuthenticationProvider"
class="org.springframework.social.security.SocialAuthenticationProvider">
  <constructor-arg index="0" ref="usersConnectionRepository" />
  <constructor-arg index="1" ref="simpleSocialUserDetailsService" />
</bean>

<bean id="forbiddenEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

<!-- This bean determines the account ID of the user.-->
<bean id="userIdSource"
class="org.springframework.social.security.AuthenticationNameUserIdSource" />

<!-- This is used to hash the password of the user. -->
<bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
  <constructor-arg index="0" value="10" />
</bean>
<!-- This bean encrypts the authorization details of the connection. In 
our example, the authorization details are stored as plain text. DO NOT USE 
THIS IN PRODUCTION. -->
<bean id="textEncryptor" class="org.springframework.security.crypto.encrypt.Encryptors"
factory-method="noOpText" />

4)所有无状态REST请求都将被FacebookTokenAuthenticationFilter拦截,以使用有效的Facebook令牌验证请求。检查Facebook令牌是否有效。如果Facebook令牌无效,则请求将被拒绝。如果Facebook令牌有效,则过滤器将尝试通过SimpleSocialUserDetailsS​​ervice对请求进行身份验证。如果用户和用户连接数据不可用,则会创建新用户(通过UserService)和UserConnection。

private Authentication attemptAuthService(...) {
  if (request.getParameter("input_token") == null) {
    throw new SocialAuthenticationException("No token in the request");
  }
  URIBuilder builder = URIBuilder.fromUri(String.format("%s/debug_token", "https://graph.facebook.com"));
  builder.queryParam("access_token", access_token);
  builder.queryParam("input_token", request.getParameter("input_token"));
  URI uri = builder.build();
  RestTemplate restTemplate = new RestTemplate();

  JsonNode resp = null;
  try {
    resp = restTemplate.getForObject(uri, JsonNode.class);
  } catch (HttpClientErrorException e) {
    throw new SocialAuthenticationException("Error validating token");
  }
  Boolean isValid = resp.path("data").findValue("is_valid").asBoolean();
  if (!isValid)
    throw new SocialAuthenticationException("Token is not valid");

  AccessGrant accessGrant = new AccessGrant(request.getParameter("input_token"), null, null,
    resp.path("data").findValue("expires_at").longValue());

  Connection<?> connection = ((OAuth2ConnectionFactory<?>) authService.getConnectionFactory())
    .createConnection(accessGrant);
  SocialAuthenticationToken token = new SocialAuthenticationToken(connection, null);
  Assert.notNull(token.getConnection());

  Authentication auth = SecurityContextHolder.getContext().getAuthentication();
  if (auth == null || !auth.isAuthenticated()) {
    return doAuthentication(authService, request, token);
  } else {
    addConnection(authService, request, token);
    return null;
  }
 }

5)项目中的其他重要部分:

用户:映射'用户'表的实体。

@Entity
@Table(name = "user")
public class User extends BaseEntity {

  @Column(name = "email", length = 255, nullable = false, unique = true)
  private String email;

  @Column(name = "first_name", length = 255, nullable = false)
  private String firstName;

  @Column(name = "last_name", length = 255, nullable = false)
  private String lastName;

  @Column(name = "password", length = 255)
  private String password;

  @Column(name = "role", length = 255, nullable = false)
  private String rolesString;

  @Enumerated(EnumType.STRING)
  @Column(name = "sign_in_provider", length = 20)
  private SocialMediaService signInProvider;

  ...
}

UserRepository:Spring Data JPA存储库,它使我们能够在'User'实体上运行CRUD操作。

public interface UserRepository extends JpaRepository<User, String> {
  public User findByEmailAndStatus(String email,Status status);
  public User findByIdAndStatus(String id,Status status);
}

UserService:此spring服务将用于创建向'user'表插入数据的新用户帐户。

@Service
public class UserService {
  private static final Logger LOGGER = LoggerFactory.getLogger(UserService.class);

  @Autowired
  private UserRepository repository;

  @Transactional
  public User registerNewUserAccount(RegistrationForm userAccountData) throws DuplicateEmailException {
      LOGGER.debug("Registering new user account with information: {}", userAccountData);

      if (emailExist(userAccountData.getEmail())) {
          LOGGER.debug("Email: {} exists. Throwing exception.", userAccountData.getEmail());
          throw new DuplicateEmailException("The email address: " + userAccountData.getEmail() + " is already in use.");
      }

      LOGGER.debug("Email: {} does not exist. Continuing registration.", userAccountData.getEmail());

      User registered =User.newEntity();
      registered.setEmail(userAccountData.getEmail());
      registered.setFirstName(userAccountData.getFirstName());
      registered.setLastName(userAccountData.getLastName());
      registered.setPassword(null);
      registered.addRole(User.Role.ROLE_USER_WEB);
      registered.addRole(User.Role.ROLE_USER_REST);
      registered.addRole(User.Role.ROLE_USER_REST_MOBILE);

      if (userAccountData.isSocialSignIn()) {
          registered.setSignInProvider(userAccountData.getSignInProvider());
      }

      LOGGER.debug("Persisting new user with information: {}", registered);

      return repository.save(registered);
  }
  .... 
}

SimpleSocialUserDetailsS​​ervice:SocialAuthenticationProvider将使用此Spring服务来验证用户的userId。

@Service
public class SimpleSocialUserDetailsService implements SocialUserDetailsService {
  private static final Logger LOGGER = LoggerFactory.getLogger(SimpleSocialUserDetailsService.class);
  @Autowired
  private UserRepository repository;

  @Override
  public SocialUserDetails loadUserByUserId(String userId) throws UsernameNotFoundException, DataAccessException {
      LOGGER.debug("Loading user by user id: {}", userId);

      User user = repository.findByEmailAndStatus(userId, Status.ENABLED);
      LOGGER.debug("Found user: {}", user);

      if (user == null) {
          throw new UsernameNotFoundException("No user found with username: " + userId);
      }

      ThingabledUserDetails principal = new ThingabledUserDetails(user.getEmail(),user.getPassword(),user.getAuthorities());
      principal.setFirstName(user.getFirstName());
      principal.setId(user.getId());
      principal.setLastName(user.getLastName());
      principal.setSocialSignInProvider(user.getSignInProvider());


      LOGGER.debug("Found user details: {}", principal);

      return principal;
  }
}

您可以从以下网址下载代码示例:

https://github.com/ozgengunay/FBSpringSocialRESTAuth

相关问题
最新问题