实现社交媒体登录弹簧安全

Question

我使用Spring 3和spring安全。我正在整合社交账户，例如Facebook，Twitter和Google。我在那里使用javascript sdk版本，但我的问题是我可以注册一个用户，但我不知道如何验证它们。

例如：

当用户点击任何新的对话框打开验证成功后我可以得到他们的基本个人资料详细信息链接（在Facebook，Twitter的，谷歌）的：电子邮件，ID，姓名，图像和我使用ajax将所有这些信息传递给我的控制器，如果用户尚未注册，则调用service和dao来保存用户。

直到这里一切工作正常。我使用用户ID并使用salt对它们进行加密并将其作为密码保存到数据库中（我不确定这是否是正确的方式来处理它）但现在我的困惑是如何验证用户并允许他们登录到系统。

我的security.xml文件

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema/beans/spring-beans-3.2.xsd 
         http://www.springframework.org/schema/security 
         http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 

    <!-- Configuration for master level user login --> 
    <http auto-config="true" use-expressions="true" 
     disable-url-rewriting="true"> 
     <!-- <csrf /> --> 
     <headers> 
      <cache-control /> 
      <content-type-options /> 
      <hsts /> 
      <frame-options /> 
      <xss-protection /> 
     </headers> 
     <!-- requires-channel="https" --> 
     <intercept-url pattern="/favicon.ico" access="permitAll" /> 
     <intercept-url pattern="/login*" access="permitAll" /> 
     <intercept-url pattern="/login/facebook-login*" access="permitAll" /> 
     <intercept-url pattern="/validateUserCredentials*" 
      access="permitAll" /> 
     <intercept-url pattern="/register*" access="permitAll" /> 
     <intercept-url pattern="/activation*" access="permitAll" /> 
     <intercept-url pattern="/restore*" access="permitAll" /> 
     <intercept-url pattern="/resend*" access="permitAll" /> 
     <intercept-url pattern="/resources/**" access="permitAll" /> 
     <intercept-url pattern="/license*" 
      access="hasAnyRole('${role.admin}', '${role.master}')" /> 
     <intercept-url pattern="/**" 
      access="hasAnyRole('${role.admin}', '${role.master}', '${role.owner}', '${role.simple}')" /> 
     <access-denied-handler error-page="/denied" /> 
     <form-login login-page="/login" default-target-url="/logged" 
      authentication-failure-url="/loginfailed" login-processing-url="/j_spring_security_check" /> 
     <logout logout-success-url="/login" invalidate-session="true" 
      delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE" /> 
     <session-management session-fixation-protection="migrateSession"> 
      <concurrency-control error-if-maximum-exceeded="true" 
       max-sessions="1" expired-url="/login" /> 
     </session-management> 
     <remember-me token-validity-seconds="86400" /> 
    </http> 

    <authentication-manager alias="authenticationManager"> 
     <authentication-provider ref="daoAuthenticationProvider" /> 
    </authentication-manager> 

    <beans:bean id="daoAuthenticationProvider" 
     class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
     <beans:property name="userDetailsService" ref="userDetailsService" /> 
     <beans:property name="saltSource" ref="saltSource" /> 
     <beans:property name="passwordEncoder" ref="passwordEncoder" /> 
    </beans:bean> 

    <beans:bean id="passwordEncoder" 
     class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" /> 

    <beans:bean id="saltSource" 
     class="org.springframework.security.authentication.dao.ReflectionSaltSource"> 
     <beans:property name="userPropertyToUse" value="salt" /> 
    </beans:bean> 

    <beans:bean id="userDetailsService" name="userAuthenticationProvider" 
     class="com.luffy.security.AuthenticationUserDetailService"> 
    </beans:bean> 
</beans:beans> 

任何帮助将不胜感激。我尽我所能解决了这个问题，但我无法找出任何可靠的解决方案。

Answer 1

假设您正在实施Facebook身份验证。

解决方案（1）：

在从Facebook成功的响应，你可以调用服务器API与Facebook用户凭证，如用户名/电子邮件和OAuth的access_token更新认证表。

$.post('api/fblogin', {access_token: accessToken}, function(response) {}); 

解决方案（2）： 自定义安全处理程序。在这里，您可以向Facebook发起您的自定义HTTP请求，并在成功完成后允许用户访问该网站。

import java.util.*; 
import javax.servlet.http.HttpServletRequest; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.security.authentication.*; 
import org.springframework.security.core.*; 
import org.springframework.stereotype.Component; 
import com.restfb.*;; 

@Component 
public class CustomAuthenticationProvider implements AuthenticationProvider { 
    private @Autowired HttpServletRequest request; 

    @Override 
    public Authentication authenticate(Authentication authentication) { 
     String fb_access_token = String.valueOf(request.getParameter("fb_access_token")); 

     //fb user 
     Authentication auth = null; 
     try { 
      FacebookClient fbClient = new DefaultFacebookClient(fb_access_token); 
      User user = fbClient.fetchObject("me",com.restfb.types.User.class); 
      String email = user.getEmail(); 
      String gender = user.getGender(); 
      String pic = "http://graph.facebook.com/" + user.getId() + "/picture?type=normal"; 
      //Your DB implementation 

     } catch (Exception e) { 
      throw new FacebookOAuthException("FB","OAuth",5002, null, null, "", ""); 
     }  
    } 
} 

弹簧security.xml文件

<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> 
     <authentication-provider ref="customAuthenticationProvider" > 
     </authentication-provider> 
</authentication-manager> 

<bean id="customAuthenticationProvider" class="com.mi.common.CustomAuthenticationProvider"/>