Facebook Connect Integration With Spring Security 3.x

Posted on November 9, 2009 in: spring security | Jump To Comments

It’s so popular that nowadays almost all web applications on the internet use Facebook Connect to attract their potential users to move their pre-built social networking structure to on their own systems. It’s no exception that our new social networking based project at work wants to adopt this feature so since we use Spring 3.x as the main framework of our project, as team we’ve spend some time to inject the Facebook Connect structure into the Spring Security (F.K.A Acegi Security). As a nice side effect, i decided to extract this integration information from our in house project to contribute and rearranged the structure to share with you in a more easy and convenient way.

While sharing this experiment with Facebook Connect with you, i assume that you already know or ready to investigate the Facebook Connect API and Spring Security. You should find a significant amount of information about Spring Security from it’s official documentation http://static.springsource.org/spring-security/site/ and Facebook Connect again its own documentation wiki http://wiki.developers.facebook.com/index.php/Facebook_Connect

So as you know the Spring’s solution for securing web applications is an implementation of core security api across the stack of a few servlet filters. Due to stateless nature of http protocol spring keeps the information of authentication and authorization requests with help of browser session cookies and make some magic behind to keep your resources secure. You should refer to the picture given to take a look at Spring Security from a bird’s eye view with the help of a UML sequence diagram published here https://twiki.auscope.org/twiki/pub/Grid/AuScopePortalSecurity/PortalAuthorisation_details.jpg . Another resource for understanding spring security is the section 5.4 in the official technical documentation http://static.springsource.org/spring-security/site/docs/3.0.x/reference/technical-overview.html#tech-intro-web-authentication .

OK, you say shut up. So let’s do some stuff.

The integration code can be obtained from http://code.google.com/p/spring-security-facebook . You should checkout code with svn scm like shown below.

~$ svn checkout http://spring-security-facebook.googlecode.com/svn/trunk/ spring-security-facebook-read-only

This is a maven project so later you enter the project directory you could type

~$PROJECT_HOME$ mvn install

After build operation completes, you should use the library in your spring project by declaring dependency in your own project’s pom file. It’s something like:

< dependency >

     < groupId >org.springframework.security</ groupId >

     < artifactId >spring-security-facebook</ artifactId >

     < version >1.0.0-ALPHA</ version >

</ dependency >

And also you must also have facebook-java-api dependency in your pom file. You could find more information about this api from here http://code.google.com/p/facebook-java-api . It’s used in our library to talk with Facebook Connect Api.

< dependency >

     < groupId >com.google.code.facebookapi</ groupId >

     < artifactId >;facebook-java-api</ artifactId >

     < version >2.1.1</ version >

</ dependency >

Now you’re ready to go with real stuff. Here instead of trying to tell how to use this library, i prepared a sample web application. It’s the best way IMHO that you spring users could understand how library integrates Facebook Connect Api well with the Spring Security, because it will take too much time to visit all details while showing you how to accomplish this. But for you as spring users, i can provide the minimal Spring application context file here to show that how it’s clean to configure the integration.

<? xml version = "1.0" encoding = "UTF-8" ?>

< beans xmlns = "http://www.springframework.org/schema/beans"

     xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns:context = "http://www.springframework.org/schema/context"

     xmlns:security = "http://www.springframework.org/schema/security"

     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd

            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

     < security:http entry-point-ref = "authenticaionEntryPoint" >

         < security:intercept-url pattern = "/static/login*/**" access = "IS_AUTHENTICATED_ANONYMOUSLY" />

         < security:intercept-url pattern = "/static/secure*/**" access = "ROLE_FACEBOOK_USER" />

         < security:logout logout-success-url = "/static/index.html" />

         < security:custom-filter before = "FORM_LOGIN_FILTER" ref = "facebookAuthenticationFilter" />

     </ security:http >

     < bean id = "authenticaionEntryPoint" class = "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" >

         < property name = "loginFormUrl" value = "/static/login.html" />

     </ bean >

     < bean id = "facebookAuthenticationFilter" class = "org.springframework.security.facebook.FacebookAuthenticationFilter" >

         < property name = "authenticationManager" ref = "authenticationManager" />

         < property name = "authenticationSuccessHandler" >

             < bean class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" >

                 < property name = "defaultTargetUrl" value = "/static/secure.html" />

                 < property name = "alwaysUseDefaultTargetUrl" value = "true" />

             </ bean >

         </ property >

         < property name = "authenticationFailureHandler" >

             < bean class = "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >

                 < property name = "defaultFailureUrl" value = "/static/login.html" />

             </ bean >

         </ property >

     </ bean >

     < bean id = "authenticationProvider" class = "org.springframework.security.facebook.FacebookAuthenticationProvider" >

         < property name = "roles" value = "ROLE_FACEBOOK_USER" />

     </ bean >

     < bean id = "facebookHelper" class = "org.springframework.security.facebook.FacebookHelper" >

         < property name = "apiKey" value = "YOUR_API_KEY" />

         < property name = "secret" value = "YOUR_SECRET" />

     </ bean >

     < security:authentication-manager alias = "authenticationManager" >

         < security:authentication-provider ref = "authenticationProvider" />

     </ security:authentication-manager >

</ beans >

You can download the sample web project here: http://code.google.com/p/spring-security-facebook/downloads/detail?name=spring-security-facebook-web.zip

You can browse project details here: http://code.google.com/p/spring-security-facebook/

This is a hot new blog entry in the late night. But if anything broken, i’ ll try to fix it ASAP.

Well also if you intend to contribute to code, you’re welcome. Please contact with me.

Hope this helps.