Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Steps to Enable OpenID Authentication in Spring-Security Application

DZone's Guide to

Steps to Enable OpenID Authentication in Spring-Security Application

To enable OpenID authentication along with normal username password login.

· DevOps Zone
Free Resource

The DevOps Zone is brought to you in partnership with Sonatype Nexus. The Nexus Suite helps scale your DevOps delivery with continuous component intelligence integrated into development tools, including Eclipse, IntelliJ, Jenkins, Bamboo, SonarQube and more. Schedule a demo today

A) Changes in spring-Security.xml

1. To enable OpenID authentication along with normal username password login, add

  <openid-login

    authentication-failure-handler-ref="authenticationFailureHandler"

    default-target-url="/"

    authentication-success-handler-ref="authenticationSuccessHandler"

    user-service-ref="customUserDetailsService" >

  <attribute-exchange identifier-match="https://www.google.com/.*">

  <openid-attribute name="axContactEmail" type="http://axschema.org/contact/email" 

  required="true"/>

  <openid-attribute name="oiContactEmail" type="http://schema.openid.net/contact/email"

  required="true"/>

  <openid-attribute name="axNamePersonFullname" type="http://axschema.org/namePerson"

  required="true"/></attribute-exchange>

  </openid-login>

to the  <http> element where form-login is defined.

2. Add

<authentication-provider user-service-ref="userAuthenticationProvider"/>

as child element to <authentication-manager>.

3. Define bean alias

<beans:alias name="customUserDetailsService" alias="userAuthenticationProvider"/>

4. Define “authenticationFailureHandler” bean.

<beans:bean id="authenticationFailureHandler"

  class="com.hcentive.portal.employer.service.impl.CustomFailureHandler"> 

  <beans:property name="defaultFailureUrl" value="/access-denied"/>

  <beans:property name="companyInfoURL" value="/register/companyInformation" />

</beans:bean>

5.  Define  “authenticationSuccessHandler” bean.

  (No need to define authenticationSuccessHandler if you have defined 

  authenticationSuccessHandler for form-login)

<beans:bean id="authenticationSuccessHandler"

    class="com.hcentive.portal.employer.service.impl.CustomSuccessHandler">

    <beans:property name="companyInfoURL" value="/register/companyInformation"/>

</beans:bean>

6. Define customUserDetailsService bean.

<beans:bean id="customUserDetailsService" 

  class="com.hcentive.portal.employer.service.impl.CustomUserDetailsService"/>

B) Sample Implementation of beans defined in config file.

1.  CustomUserDetailsService

publicclass CustomUserDetailsService implements UserDetailsService,

   {

  /**

   * Retrieves a user record containing the user's credentials and access.

   */

  @Override

  public UserDetails loadUserByUsername(String username)

  throws UsernameNotFoundException, DataAccessException {

  final String userIdentifier = username.split("=")[1];

    try{ 

  //provide implementation to search user with username in database and

  //  return a user of type  UserDetails

  } catch (Exception e) {

  //if user not found in database throw exception

  thrownew UsernameNotFoundException("Error in retrieving user");

  }

  }

}

2.  AuthenticationFailureHandle

publicclass CustomFailureHandler extends SimpleUrlAuthenticationFailureHandler {

  @Override

  publicvoid onAuthenticationFailure(HttpServletRequest request,

  HttpServletResponse response, AuthenticationException exception)

  throws IOException, ServletException {

  if (exception instanceof UsernameNotFoundException

  && exception.getAuthentication() instanceof 

  OpenIDAuthenticationToken) {

  OpenIDAuthenticationToken token = (OpenIDAuthenticationToken) exception

  .getAuthentication();

    if (OpenIDAuthenticationStatus.SUCCESS.equals(token.getStatus())) {

    // getting attributes passed by google/openID provider

    final List<OpenIDAttribute> attrList = token.getAttributes();

  String username = (String) token.getPrincipal();

  //provide implementation to create user from information passed from 

  //openID provider and save this user in database

  //then redirect to redirectURL.

    DefaultRedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

    redirectStrategy.sendRedirect(request, response, “redirectURL”);

   } else {

  super.onAuthenticationFailure(request, response, exception);

  }

} 

3. AuthenticationSuccessHandler

  publicclass CustomSuccessHandler extends

  SavedRequestAwareAuthenticationSuccessHandler {

  @Override

  publicvoid onAuthenticationSuccess(HttpServletRequest request,

  HttpServletResponse response, Authentication authentication)

  throws ServletException, IOException {

  //provide implementation to set user data in session

  //redirecting to landing page

  getRedirectStrategy().sendRedirect(request, response, “landingpageURL”);

  }

  super.onAuthenticationSuccess(request, response, authentication);

  }

C) JSP changes.

1) Add following code to login page.

 <c:url var="googleLogoUrl" value="/resources/google-logo.png" />

  <img src="${googleLogoUrl}"></img>

  <form action="j_spring_openid_security_check" method="post">

  For Google users:

    <input name="openid_identifier" type="hidden"

  value="https://www.google.com/accounts/o8/id"/>

  <input type="submit" value="Sign with Google"/>

  </form>

D) Steps to Test Application:

1. On click of "Sign with Google" button it should redirect to Google login page.

2. After successful authentication with Google use should come to landing page.

 

The DevOps Zone is brought to you in partnership with Sonatype Nexus. Use the Nexus Suite to automate your software supply chain and ensure you're using the highest quality open source components at every step of the development lifecycle. Get Nexus today

Topics:
java ,devops ,security ,spring ,tips and tricks ,openid

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}