Geek Answers Handbook

RESTful Mobile Client Authentication Through Spring MVC

I am trying to figure out what is the best way to protect my Spring MVC controllers (which only uses json). I have performed many questions (e.g. RESTful Authentication via Spring ). My problem, although it seems to be a fairly common practice, but I did not find a specific answer for it.

Requirements:

  • All messages are made from mobile clients (Android / iPhone) using json.
  • The user can log in using facebook (client side authentication using facebook sdk), which means that there is no password to send to the server.
  • BASIC authentication is not needed because there is no password, and I would prefer the client to be logical enough.
  • IMPORTANT there is no registration screen, because I want to facilitate the work of my users, when a user login (facebook / email) creates a server β€œon the fly” of the user inside the database, in case of facebook I do not ask the user anything, because he has already authenticated with facebook sdk locally, as for email, the server asks the user to enter their password, because they can use someone else's email.

I'm particularly trying to implement step 4, I will probably use Spring Security, since my server uses Spring to a large extent.

+4
source share
1 answer

We are doing something similar to # 4 on one of our webapps. Basically, the process:

1) Create (or override for FacebookApiAdapter) the setConnectionVales method.

2) Take the email (or everything that you use for internal usernames) from your Facebook profile.

3) Create a new Auth token:

UsernamePasswordAuthenticationToken newAuth = new UsernamePasswordAuthenticationToken(user, "yourrealm",authorities);

where the user matches your internal user type and the credentials are Set (hint: just add lines with the new SimpleGrantedAuthority function)

4) Set a new authentication token in SpringSecurityContext:

 SecurityContextHolder.getContext().setAuthentication(newAuth);

You can then use the usual Spring security setting to protect things with ROLE if the new token has this role in its set of permissions.

+2
source

More articles:


All Articles