I am developing the server side for a mobile application as per below: - I'm using Spring MVC framework and I have already implemented BASIC AUTHENTICATION for restful requests (using JSON) as per code below.
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http create-session="stateless" entry-point- ref="restAuthenticationEntryPoint" use-expressions="true">
<security:intercept-url pattern="/restful" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/restful/*" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:custom-filter ref="myFilter" after="BASIC_AUTH_FILTER"/>
<!-- <security:logout /> -->
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
user-service-ref="daoUserService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean id="restAuthenticationEntryPoint" class="com.bp_gae.utils.RestAuthenticationEntryPoint">
</bean>
<bean id="myFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationEntryPoint" ref="restAuthenticationEntryPoint" />
</bean>
<bean
id="passwordEncoder"
class="com.bp_gae.utils.AppPasswordEncoder" />
<bean
id="daoUserService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property
name="dataSource"
ref="dataSource" />
<property
name="enableGroups"
value="false" />
<property
name="enableAuthorities"
value="true" />
<property name="usersByUsernameQuery">
<value>
select username,password, 1
from users
where username = ?
</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>
select username,authority
from users c,
user_roles cp
where c.user_id = cp.user_id
and c.username = ?
</value>
</property>
</bean>
</beans>
So the mobile client sends username, password in every request and a check in DB is done to determine whether he can have access to protected resources.There are no sessions created. The new requirement is to intagrate Facebook authentication. 1) The mobile user signs in and authenticates on client side and sends the authentication token to server. 2) The server should get user facebook details using that token (check whether this token is valid against facebook) using facebook app-id and app-secret from FB app I've created. I am using Spring Social for that purpose. 3) All protected resources are accessible after either basic or Facebook successful auth. 4) I already have a Users table in DB (username,email,password) and I'm thinking of creating another one with SocialUsers (email, token) and do some matching between them to link same users.
I am not sure on how to get both authentication methods working in my security.xml file. -Do I have to set up another filter for Social Auth? -In that case how can I use both filters? Any suggestions / sample code welcome!