實現社交媒體登錄彈簧安全

Question

我使用Spring 3和spring安全。我正在整合社交賬戶，例如Facebook，Twitter和Google。我在那裏使用javascript sdk版本，但我的問題是我可以註冊一個用戶，但我不知道如何驗證它們。

例如：

當用戶點擊任何新的對話框打開驗證成功後我可以得到他們的基本個人資料詳細信息鏈接（在Facebook，Twitter的，谷歌）的：電子郵件，ID，姓名，圖像和我使用ajax將所有這些信息傳遞給我的控制器，如果用戶尚未註冊，則調用service和dao來保存用戶。

直到這裏一切工作正常。我使用用戶ID並使用salt對它們進行加密並將其作爲密碼保存到數據庫中（我不確定這是否是正確的方式來處理它）但現在我的困惑是如何驗證用戶並允許他們登錄到系統。

我的security.xml文件

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema/beans/spring-beans-3.2.xsd 
         http://www.springframework.org/schema/security 
         http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 

    <!-- Configuration for master level user login --> 
    <http auto-config="true" use-expressions="true" 
     disable-url-rewriting="true"> 
     <!-- <csrf /> --> 
     <headers> 
      <cache-control /> 
      <content-type-options /> 
      <hsts /> 
      <frame-options /> 
      <xss-protection /> 
     </headers> 
     <!-- requires-channel="https" --> 
     <intercept-url pattern="/favicon.ico" access="permitAll" /> 
     <intercept-url pattern="/login*" access="permitAll" /> 
     <intercept-url pattern="/login/facebook-login*" access="permitAll" /> 
     <intercept-url pattern="/validateUserCredentials*" 
      access="permitAll" /> 
     <intercept-url pattern="/register*" access="permitAll" /> 
     <intercept-url pattern="/activation*" access="permitAll" /> 
     <intercept-url pattern="/restore*" access="permitAll" /> 
     <intercept-url pattern="/resend*" access="permitAll" /> 
     <intercept-url pattern="/resources/**" access="permitAll" /> 
     <intercept-url pattern="/license*" 
      access="hasAnyRole('${role.admin}', '${role.master}')" /> 
     <intercept-url pattern="/**" 
      access="hasAnyRole('${role.admin}', '${role.master}', '${role.owner}', '${role.simple}')" /> 
     <access-denied-handler error-page="/denied" /> 
     <form-login login-page="/login" default-target-url="/logged" 
      authentication-failure-url="/loginfailed" login-processing-url="/j_spring_security_check" /> 
     <logout logout-success-url="/login" invalidate-session="true" 
      delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE" /> 
     <session-management session-fixation-protection="migrateSession"> 
      <concurrency-control error-if-maximum-exceeded="true" 
       max-sessions="1" expired-url="/login" /> 
     </session-management> 
     <remember-me token-validity-seconds="86400" /> 
    </http> 

    <authentication-manager alias="authenticationManager"> 
     <authentication-provider ref="daoAuthenticationProvider" /> 
    </authentication-manager> 

    <beans:bean id="daoAuthenticationProvider" 
     class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
     <beans:property name="userDetailsService" ref="userDetailsService" /> 
     <beans:property name="saltSource" ref="saltSource" /> 
     <beans:property name="passwordEncoder" ref="passwordEncoder" /> 
    </beans:bean> 

    <beans:bean id="passwordEncoder" 
     class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" /> 

    <beans:bean id="saltSource" 
     class="org.springframework.security.authentication.dao.ReflectionSaltSource"> 
     <beans:property name="userPropertyToUse" value="salt" /> 
    </beans:bean> 

    <beans:bean id="userDetailsService" name="userAuthenticationProvider" 
     class="com.luffy.security.AuthenticationUserDetailService"> 
    </beans:bean> 
</beans:beans> 

任何幫助將不勝感激。我盡我所能解決了這個問題，但我無法找出任何可靠的解決方案。

Answer 1

假設您正在實施Facebook身份驗證。

解決方案（1）：

在從Facebook成功的響應，你可以調用服務器API與Facebook用戶憑證，如用戶名/電子郵件和OAuth的access_token更新認證表。

$.post('api/fblogin', {access_token: accessToken}, function(response) {}); 

解決方案（2）： 自定義安全處理程序。在這裏，您可以向Facebook發起您的自定義HTTP請求，並在成功完成後允許用戶訪問該網站。

import java.util.*; 
import javax.servlet.http.HttpServletRequest; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.security.authentication.*; 
import org.springframework.security.core.*; 
import org.springframework.stereotype.Component; 
import com.restfb.*;; 

@Component 
public class CustomAuthenticationProvider implements AuthenticationProvider { 
    private @Autowired HttpServletRequest request; 

    @Override 
    public Authentication authenticate(Authentication authentication) { 
     String fb_access_token = String.valueOf(request.getParameter("fb_access_token")); 

     //fb user 
     Authentication auth = null; 
     try { 
      FacebookClient fbClient = new DefaultFacebookClient(fb_access_token); 
      User user = fbClient.fetchObject("me",com.restfb.types.User.class); 
      String email = user.getEmail(); 
      String gender = user.getGender(); 
      String pic = "http://graph.facebook.com/" + user.getId() + "/picture?type=normal"; 
      //Your DB implementation 

     } catch (Exception e) { 
      throw new FacebookOAuthException("FB","OAuth",5002, null, null, "", ""); 
     }  
    } 
} 

彈簧security.xml文件

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> 
     <authentication-provider ref="customAuthenticationProvider" > 
     </authentication-provider> 
</authentication-manager> 

<bean id="customAuthenticationProvider" class="com.mi.common.CustomAuthenticationProvider"/>