]> juplo.de Git - website/blob
7b2bde3d0ea71f3d551b25976a23346286a5d2e5
[website] /
1 ---
2 _edit_last: "2"
3 categories:
4   - explained
5 tags:
6   - facebook
7   - java
8   - oauth2
9   - spring
10 date: "2015-06-28"
11 lastmod: "2016-06-26T10:40:45+00:00"
12 guid: http://juplo.de/?p=462
13 parent_post_id: null
14 post_id: "462"
15 title: Configure pac4j for a Social-Login along with a Spring-Security based Form-Login
16 url: /configure-pac4j-for-a-social-login-along-with-a-spring-security-based-form-login/
17
18 ---
19 ## The Problem – What will be explained
20
21 If you just want to enable your spring-based webapplication to let users log in with their social accounts, without changing anything else, [pac4j](http://www.pac4j.org/#1 "The authentication solution for java") should be your first choice.
22 But the [provided example](https://github.com/pac4j/spring-security-pac4j-demo "Clone the examples on GitHub") only shows, how to define all authentication mechanisms via pac4j.
23 If you already have set up your log-in via spring-security, you have to reconfigure it with the appropriate pac4j-mechanism.
24 That is a lot of unnecessary work, if you just want to supplement the already configured log in with the additionally possibility, to log in via a social provider.
25
26 In this short article, I will show you, how to set that up along with the normal [form-based login of Spring-Security](http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#ns-form-and-basic "Read, how to set up the form-based login of Spring-Security").
27 I will show this for a Login via Facabook along the Form-Login of Spring-Security.
28 The method should work as well for [other social logins, that are supported by spring-security-pac4j](https://github.com/pac4j/spring-security-pac4j#providers-supported "See a list of all login-mechanisms, supported by spring-security-pac4j"), along other login-mechanisms provided by spring-security out-of-the-box.
29
30 In this article I will not explain, how to store the user-profile-data, that was retrieved during the social login.
31 Also, if you need more social interaction, than just a login and access to the default data in the user-profile you probably need [spring-social](http://projects.spring.io/spring-social/ "Homepage of the spring-social project"). How to combine spring-social with spring-security for that purpose, is explained in this nice article about how to [add social sign in to a spring-mvc weba-pplication](http://www.petrikainulainen.net/programming/spring-framework/adding-social-sign-in-to-a-spring-mvc-web-application-configuration/ "Read this article about how to integrate spring-security with spring-social").
32
33 ## Adding the Required Maven-Artifacts
34
35 In order to use spring-security-pac4j to login to facebook, you need the following maven-artifacts:
36
37 ```xml
38 <dependency>
39   <groupId>org.pac4j</groupId>
40   <artifactId>spring-security-pac4j</artifactId>
41   <version>1.2.5</version>
42 </dependency>
43 <dependency>
44   <groupId>org.pac4j</groupId>
45   <artifactId>pac4j-http</artifactId>
46   <version>1.7.1</version>
47 </dependency>
48 <dependency>
49   <groupId>org.pac4j</groupId>
50   <artifactId>pac4j-oauth</artifactId>
51   <version>1.7.1</version>
52 </dependency>
53 ```
54
55 ## Configuration of Spring-Security (Without Social Login via pac4j)
56
57 This is a bare minimal configuration to get the form-login via Spring-Security working:
58
59 ```xml
60 <?xml version="1.0" encoding="UTF-8"?>
61 <beans
62     xmlns="http://www.springframework.org/schema/beans"
63     xmlns:security="http://www.springframework.org/schema/security"
64     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
65     xsi:schemaLocation="
66       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
67       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
68     ">
69
70   <security:http use-expressions="true">
71     <security:intercept-url pattern="/**" access="permitAll"/>
72     <security:intercept-url pattern="/home.html" access="isAuthenticated()"/>
73     <security:form-login login-page="/login.html" authentication-failure-url="/login.html?failure"/>
74     <security:logout/>
75     <security:remember-me/>
76   </security:http>
77
78   <security:authentication-manager>
79     <security:authentication-provider>
80       <security:user-service>
81         <security:user name="user" password="user" authorities="ROLE_USER" />
82       </security:user-service>
83     </security:authentication-provider>
84   </security:authentication-manager>
85
86 </beans>
87 ```
88
89 The `http` defines, that the access to the url `/home.html` is restriced and must be authenticated via a form-login on url `/login.html`.
90 The `authentication-manager` defines an in-memory authentication-provider for testing purposes with just one user (username: `user`, password: `user`).
91 For more details, see the [documentation of spring-security](http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#ns-form-and-basic "Read more about the available configuration-parameters in the spring-security documentation").
92
93 ## Enabling pac4j via spring-security-pac4j alongside
94
95 To enable pac4j alongside, you have to add/change the following:
96
97 ```xml
98 <?xml version="1.0" encoding="UTF-8"?>
99 <beans
100     xmlns="http://www.springframework.org/schema/beans"
101     xmlns:security="http://www.springframework.org/schema/security"
102     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
103     xsi:schemaLocation="
104       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
105       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
106     ">
107
108   <security:http use-expressions="true">
109     <security:custom-filter position="OPENID_FILTER" ref="clientFilter"/>
110     <security:intercept-url pattern="/**" access="permitAll()"/>
111     <security:intercept-url pattern="/home.html" access="isAuthenticated()"/>
112     <security:form-login login-page="/login.html" authentication-failure-url="/login.html?failure"/>
113     <security:logout/>
114   </security:http>
115
116   <security:authentication-manager alias="authenticationManager">
117     <security:authentication-provider>
118       <security:user-service>
119         <security:user name="user" password="user" authorities="ROLE_USER" />
120       </security:user-service>
121     </security:authentication-provider>
122     <security:authentication-provider ref="clientProvider"/>
123   </security:authentication-manager>
124
125   <!-- entry points -->
126   <bean id="facebookEntryPoint" class="org.pac4j.springframework.security.web.ClientAuthenticationEntryPoint">
127     <property name="client" ref="facebookClient"/>
128   </bean>
129
130   <!-- client definitions -->
131   <bean id="facebookClient" class="org.pac4j.oauth.client.FacebookClient">
132     <property name="key" value="145278422258960"/>
133     <property name="secret" value="be21409ba8f39b5dae2a7de525484da8"/>
134   </bean>
135   <bean id="clients" class="org.pac4j.core.client.Clients">
136     <property name="callbackUrl" value="http://localhost:8080/callback"/>
137     <property name="clients">
138       <list>
139         <ref bean="facebookClient"/>
140       </list>
141     </property>
142   </bean>
143
144   <!-- common to all clients -->
145   <bean id="clientFilter" class="org.pac4j.springframework.security.web.ClientAuthenticationFilter">
146     <constructor-arg value="/callback"/>
147     <property name="clients" ref="clients"/>
148     <property name="sessionAuthenticationStrategy" ref="sas"/>
149     <property name="authenticationManager" ref="authenticationManager"/>
150   </bean>
151   <bean id="clientProvider" class="org.pac4j.springframework.security.authentication.ClientAuthenticationProvider">
152     <property name="clients" ref="clients"/>
153   </bean>
154   <bean id="httpSessionRequestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"/>
155   <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"/>
156
157 </beans>
158 ```
159
160 In short:
161
162 1. You have to add an additional filter in `http`.
163    I added this filter on position `OPENID_FILTER`, because pac4j introduces a unified way to handle OpenID and OAuth and so on.
164    If you are using the OpenID-mechanism of spring-security, you have to use another position in the filter-chain (for example `CAS_FILTER`) or reconfigure OpenID to use the pac4j-mechanism, which should be fairly straight-forward.
165
166
167    The new Filter has the ID `clientFilter` and needs a reference to the `authenticationManager`.
168    Also, the callback-URL (here: `/callback`) must be mapped to your web-application!
169
170 1. You have to add an additional `authentication-provider` to the `authentication-manager`, that references your newly defined pac4j-ClientProvider ( `clientProvider`).
171
172 1. You have to configure your entry-points as pac4j-clients.
173    In the example above, only one pac4j-client, that authenticats the user via Facebook, is configured.
174    You easily can add more clients: just copy the definitions from the [spring-security-pac4j example](https://github.com/pac4j/spring-security-pac4j-demo "Browse the source of that example on GitHub").
175
176 That should be all, that is necessary, to enable a Facebook-Login in your Spring-Security web-application.
177
178 ## Do Not Forget To Use Your Own APP-ID!
179
180 The App-ID `145278422258960` and the accompanying secret `be21409ba8f39b5dae2a7de525484da8` were taken from the [spring-security-pac4j example](https://github.com/pac4j/spring-security-pac4j-demo "Browse the source of that example on GitHub") for simplicity.
181 That works for a first test-run on `localhost`.
182 _But you have to replace that with your own App-ID and -scecret, that you have to generate using [your App Dashboard on Facebook](https://developers.facebook.com/apps "You can generate your own apps on your App Dashboard")!_
183
184 ## More to come...
185
186 This short article does not show, how to save the retrieved user-profiles in your user-database, if you need that.
187 I hope, I will write a follow-up on that soon.
188 In short:
189 pac4j creates a Spring-Security `UserDetails`-Instance for every user, that was authenticated against it.
190 You can use this, to access the data in the retrieved user-profile (for example to write out the name of the user in a greeting or contact him via e-mail).