Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure Spring 4.0 with spring boot and spring security openId

I'm trying to get a Spring 4.0 boot application up and running with Spring Security OpenId. I'm using the standard way to bootstrap a Spring boot app:

@Configuration
@ComponentScan("x.y.z")
@EnableAutoConfiguration
@Import({SecurityConfig.class})
public class ServiceRegistryStart extends SpringBootServletInitializer {

    public static void main(String[] args) {
        SpringApplication.run(ServiceRegistryStart.class, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        application.sources(getClass());
        return application;
    }
}

The SecurityConfig.class looks like this (Influenced by the "openid-jc sample project in Spring security):

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/resources/**").permitAll()
                .anyRequest().authenticated()
                .and()
            .openidLogin()
                .loginPage("/login.html")
                .permitAll()
                .authenticationUserDetailsService(new CustomUserDetailsService())
                .attributeExchange("https://www.google.com/.*")
                    .attribute("email")
                        .type("http://axschema.org/contact/email")
                        .required(true)
                        .and()
                    .attribute("firstname")
                        .type("http://axschema.org/namePerson/first")
                        .required(true)
                        .and()
                    .attribute("lastname")
                        .type("http://axschema.org/namePerson/last")
                        .required(true)
                        .and()
                    .and()
                .attributeExchange(".*yahoo.com.*")
                    .attribute("email")
                        .type("http://axschema.org/contact/email")
                        .required(true)
                        .and()
                    .attribute("fullname")
                        .type("http://axschema.org/namePerson")
                        .required(true)
                        .and()
                    .and()
                .attributeExchange(".*myopenid.com.*")
                    .attribute("email")
                        .type("http://schema.openid.net/contact/email")
                        .required(true)
                        .and()
                    .attribute("fullname")
                        .type("http://schema.openid.net/namePerson")
                        .required(true);
    }

    @Bean(name = "myAuthenticationManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    class CustomUserDetailsService implements AuthenticationUserDetailsService<OpenIDAuthenticationToken> {

        @Override
        public UserDetails loadUserDetails(OpenIDAuthenticationToken token) throws UsernameNotFoundException {
            return new User(token.getName(), "", AuthorityUtils.createAuthorityList("ROLE_USER"));
        }
    }
}

The login page looks like this:

<form id="googleLoginForm" action="/j_spring_openid_security_check" method="post">
    <h1>Login</h1>

    <input name="openid_identifier" type="hidden" value="https://www.google.com/accounts/o8/id"/>
    <input name="openid.ns.pape" type="hidden" value="http://specs.openid.net/extensions/pape/1.0"/>
    <input name="openid.pape.max_auth_age" type="hidden" value="0"/>

    <p>
        <input name="submit" value="Login using Google" type="submit"/>
    </p>
</form>

The problem is that the "/j_spring_openid_security_check" doesn't seem to exist. I think the problem is that I ought to extend from AbstractSecurityWebApplicationInitializer when using Spring Security but for boot I should use SpringBootServletInitializer. What's the best way to combine the two? The javadoc of SpringBootServletInitializer says that it registers a filter automatically when Spring Security is detected but it doesn't seem to work in this case.

like image 893
Johan Avatar asked Jan 20 '14 10:01

Johan


1 Answers

I actually managed to solve this. First off all I used Spring Boot to start an embedded container so I didn't need any WebApplicationInitializers. Secondly the post URL in the login page should point to "/login/openid" and thirdly I had to disable cross-site request forgery prevention in the security configuration using:

http.csrf().disable(). ..

in the configure method in the SecurityConfig class.

like image 128
Johan Avatar answered Nov 15 '22 07:11

Johan