11 lastmod: "2016-06-26T10:40:45+00:00"
12 guid: http://juplo.de/?p=462
15 title: Configure pac4j for a Social-Login along with a Spring-Security based Form-Login
16 url: /configure-pac4j-for-a-social-login-along-with-a-spring-security-based-form-login/
19 ## The Problem – What will be explained
21 If you just want to enable your spring-based webapplication to let users log in with their social accounts, without changing anything else, [pac4j](http://www.pac4j.org/#1 "The authentication solution for java") should be your first choice.
22 But the [provided example](https://github.com/pac4j/spring-security-pac4j-demo "Clone the examples on GitHub") only shows, how to define all authentication mechanisms via pac4j.
23 If you already have set up your log-in via spring-security, you have to reconfigure it with the appropriate pac4j-mechanism.
24 That is a lot of unnecessary work, if you just want to supplement the already configured log in with the additionally possibility, to log in via a social provider.
26 In this short article, I will show you, how to set that up along with the normal [form-based login of Spring-Security](http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#ns-form-and-basic "Read, how to set up the form-based login of Spring-Security").
27 I will show this for a Login via Facabook along the Form-Login of Spring-Security.
28 The method should work as well for [other social logins, that are supported by spring-security-pac4j](https://github.com/pac4j/spring-security-pac4j#providers-supported "See a list of all login-mechanisms, supported by spring-security-pac4j"), along other login-mechanisms provided by spring-security out-of-the-box.
30 In this article I will not explain, how to store the user-profile-data, that was retrieved during the social login.
31 Also, if you need more social interaction, than just a login and access to the default data in the user-profile you probably need [spring-social](http://projects.spring.io/spring-social/ "Homepage of the spring-social project"). How to combine spring-social with spring-security for that purpose, is explained in this nice article about how to [add social sign in to a spring-mvc weba-pplication](http://www.petrikainulainen.net/programming/spring-framework/adding-social-sign-in-to-a-spring-mvc-web-application-configuration/ "Read this article about how to integrate spring-security with spring-social").
33 ## Adding the Required Maven-Artifacts
35 In order to use spring-security-pac4j to login to facebook, you need the following maven-artifacts:
39 <groupId>org.pac4j</groupId>
40 <artifactId>spring-security-pac4j</artifactId>
41 <version>1.2.5</version>
44 <groupId>org.pac4j</groupId>
45 <artifactId>pac4j-http</artifactId>
46 <version>1.7.1</version>
49 <groupId>org.pac4j</groupId>
50 <artifactId>pac4j-oauth</artifactId>
51 <version>1.7.1</version>
55 ## Configuration of Spring-Security (Without Social Login via pac4j)
57 This is a bare minimal configuration to get the form-login via Spring-Security working:
60 <?xml version="1.0" encoding="UTF-8"?>
62 xmlns="http://www.springframework.org/schema/beans"
63 xmlns:security="http://www.springframework.org/schema/security"
64 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
66 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
67 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
70 <security:http use-expressions="true">
71 <security:intercept-url pattern="/**" access="permitAll"/>
72 <security:intercept-url pattern="/home.html" access="isAuthenticated()"/>
73 <security:form-login login-page="/login.html" authentication-failure-url="/login.html?failure"/>
75 <security:remember-me/>
78 <security:authentication-manager>
79 <security:authentication-provider>
80 <security:user-service>
81 <security:user name="user" password="user" authorities="ROLE_USER" />
82 </security:user-service>
83 </security:authentication-provider>
84 </security:authentication-manager>
89 The `http` defines, that the access to the url `/home.html` is restriced and must be authenticated via a form-login on url `/login.html`.
90 The `authentication-manager` defines an in-memory authentication-provider for testing purposes with just one user (username: `user`, password: `user`).
91 For more details, see the [documentation of spring-security](http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#ns-form-and-basic "Read more about the available configuration-parameters in the spring-security documentation").
93 ## Enabling pac4j via spring-security-pac4j alongside
95 To enable pac4j alongside, you have to add/change the following:
98 <?xml version="1.0" encoding="UTF-8"?>
100 xmlns="http://www.springframework.org/schema/beans"
101 xmlns:security="http://www.springframework.org/schema/security"
102 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
104 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
105 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
108 <security:http use-expressions="true">
109 <security:custom-filter position="OPENID_FILTER" ref="clientFilter"/>
110 <security:intercept-url pattern="/**" access="permitAll()"/>
111 <security:intercept-url pattern="/home.html" access="isAuthenticated()"/>
112 <security:form-login login-page="/login.html" authentication-failure-url="/login.html?failure"/>
116 <security:authentication-manager alias="authenticationManager">
117 <security:authentication-provider>
118 <security:user-service>
119 <security:user name="user" password="user" authorities="ROLE_USER" />
120 </security:user-service>
121 </security:authentication-provider>
122 <security:authentication-provider ref="clientProvider"/>
123 </security:authentication-manager>
125 <!-- entry points -->
126 <bean id="facebookEntryPoint" class="org.pac4j.springframework.security.web.ClientAuthenticationEntryPoint">
127 <property name="client" ref="facebookClient"/>
130 <!-- client definitions -->
131 <bean id="facebookClient" class="org.pac4j.oauth.client.FacebookClient">
132 <property name="key" value="145278422258960"/>
133 <property name="secret" value="be21409ba8f39b5dae2a7de525484da8"/>
135 <bean id="clients" class="org.pac4j.core.client.Clients">
136 <property name="callbackUrl" value="http://localhost:8080/callback"/>
137 <property name="clients">
139 <ref bean="facebookClient"/>
144 <!-- common to all clients -->
145 <bean id="clientFilter" class="org.pac4j.springframework.security.web.ClientAuthenticationFilter">
146 <constructor-arg value="/callback"/>
147 <property name="clients" ref="clients"/>
148 <property name="sessionAuthenticationStrategy" ref="sas"/>
149 <property name="authenticationManager" ref="authenticationManager"/>
151 <bean id="clientProvider" class="org.pac4j.springframework.security.authentication.ClientAuthenticationProvider">
152 <property name="clients" ref="clients"/>
154 <bean id="httpSessionRequestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"/>
155 <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"/>
162 1. You have to add an additional filter in `http`.
163 I added this filter on position `OPENID_FILTER`, because pac4j introduces a unified way to handle OpenID and OAuth and so on.
164 If you are using the OpenID-mechanism of spring-security, you have to use another position in the filter-chain (for example `CAS_FILTER`) or reconfigure OpenID to use the pac4j-mechanism, which should be fairly straight-forward.
167 The new Filter has the ID `clientFilter` and needs a reference to the `authenticationManager`.
168 Also, the callback-URL (here: `/callback`) must be mapped to your web-application!
170 1. You have to add an additional `authentication-provider` to the `authentication-manager`, that references your newly defined pac4j-ClientProvider ( `clientProvider`).
172 1. You have to configure your entry-points as pac4j-clients.
173 In the example above, only one pac4j-client, that authenticats the user via Facebook, is configured.
174 You easily can add more clients: just copy the definitions from the [spring-security-pac4j example](https://github.com/pac4j/spring-security-pac4j-demo "Browse the source of that example on GitHub").
176 That should be all, that is necessary, to enable a Facebook-Login in your Spring-Security web-application.
178 ## Do Not Forget To Use Your Own APP-ID!
180 The App-ID `145278422258960` and the accompanying secret `be21409ba8f39b5dae2a7de525484da8` were taken from the [spring-security-pac4j example](https://github.com/pac4j/spring-security-pac4j-demo "Browse the source of that example on GitHub") for simplicity.
181 That works for a first test-run on `localhost`.
182 _But you have to replace that with your own App-ID and -scecret, that you have to generate using [your App Dashboard on Facebook](https://developers.facebook.com/apps "You can generate your own apps on your App Dashboard")!_
186 This short article does not show, how to save the retrieved user-profiles in your user-database, if you need that.
187 I hope, I will write a follow-up on that soon.
189 pac4j creates a Spring-Security `UserDetails`-Instance for every user, that was authenticated against it.
190 You can use this, to access the data in the retrieved user-profile (for example to write out the name of the user in a greeting or contact him via e-mail).