Integrating Web Application with OpenID using Spring Security

>> Apr 17, 2013

Overview
During the course of this article, I will try to put steps for integrating web application with Spring Security using OpenID as authentication medium and using Spring MVC. (This article expects that user has some knowledge of Spring MVC, Spring Security, Maven and Tomcat.) In detail Step1: Create a Web Application I have used NetBeans IDE 7.3, Tomcat7. To create a project, Choose File -New Project - Java Web - Web Application - ProjectName - Server - Spring MVC. Since I am using maven, add a pom file in the project. Make sure you have a basic structure of application before moving ahead. You can create a web application based on framework of your choice. Step2: Add Spring Security to it I have three pages 1. Login - open for all 2. landing - user with ROLE_USER access 3. Admin - User with ROLE_ADMIN access In Spring-Security.xml

  
  
  
  
       
   
        



   




  

Step3:Change web.xml

  contextConfigLocation
    
          /WEB-INF/spring-security.xml,
          /WEB-INF/applicationContext.xml
   

 servlet>
   AppSecurityDis
 org.springframework.web.servlet.DispatcherServlet
 1
   
 
   
 AppSecurityDis
 /apps/*
   
Step4: Add controller code to handle request 
1. AppController.java
@Controller
@RequestMapping("/main")
public class AppController {

    @RequestMapping(value = "/landing", method = RequestMethod.GET)
    public String getCommonPage() {
        return "landingpage";
    }

    @RequestMapping(value = "/admin", method = RequestMethod.GET)
    public String getAdminPage() {
        return "adminpage";
    }
}
2. SecurityController.java
@Controller
@RequestMapping("/secure")
public class SecuritytController {

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String getLoginPage(@RequestParam(value = "error", required = false) boolean error,
            ModelMap model) {
        if (error == true) {
            model.put("error", "Please enter valid username or password!");
        } else {
            model.put("error", "");
        }

        return "loginpage";
    }
Step5: Add code to AppSecurityDis-servlet

 
 

Step6: Add Controller package to ApplicationContect.xml
Step7 : Add code to loginpage.jsp


Welcome to App Security


Login to AppSecurity

${error}
For Google users:

OR If you have OpenID Login with OpenID:
:
and for adminpage.jsp and landingpage.jsp, you can add code as per your requirements 
Step8: Compile and Deploy it. 
Once deployed access it at "http://localhost:8080/AppSecurity/apps/secure/login". You will get two options to login. If valid credentials and match with username value, you should be able to view landing page. Step9: Moving it to database Create follwing tables in mySQL database.
CREATE TABLE `users` (
  `USER_ID` int(10) unsigned NOT NULL,
  `USERNAME` varchar(145) NOT NULL,  
  `PASSWORD` varchar(45) DEFAULT NULL,
  `ENABLED` tinyint(1) NOT NULL
  PRIMARY KEY (`USER_ID`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8$$

CREATE TABLE `user_roles` (
  `USER_ROLE_ID` int(10) unsigned NOT NULL,
  `USER_ID` int(10) NOT NULL,
  `AUTHORITY` varchar(45) NOT NULL,
  PRIMARY KEY (`USER_ROLE_ID`),
  KEY `FK_user_roles` (`USER_ID`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8$$

Add these records in Users and user_role tables

101, https://www.google.com/accounts/o8/id?id=AItOawm3ktMIUIGaqDzhyeZsK_amZ4paBhJN8kA, , 1

1, 101, ROLE_USER
2, 101, ROLE_ADMIN
BTW, this username "https://www.google.com/accounts/o8/id?id=AItxxioJSDLFJLjxcksdfjOpAASDFosSSoJ0E" is mine. you need to change it with your id and you can it track it as written above. Add spring-database.xml in WEB-INF folder


 
  
  
  
  
 

Add this in web.xml as well.
contextConfigLocation
 
  /WEB-INF/spring-database.xml,
         /WEB-INF/spring-security.xml,
         /WEB-INF/applicationContext.xml
 
Step10/Step2a: Make changes in spring-security file.
Although this is still a work around and should be part of UserDetailsService class. Which I will implement in next blog. Make sure you comment code written in step 2 and replace it with new one.

   
 
       
  
 
Recompile and run it again. You should be able to login using new changes in database.

3 comments:

Abhishek Chavan Apr 18, 2013, 9:44:00 AM  

Would love to get my hands on the Code. Maybe on Github I hope.

Sandeep Gupta Apr 18, 2013, 10:36:00 AM  

My next target is to integrate with other ID providers like yahoo. wordpress. I have tested it with MyOpenId and google

Adil Sandalwala Sep 19, 2013, 3:39:00 AM  

Thanks for the post. It helped a lot. I was wondering how do you get to know the OpenId that you have registered in the user-service section in spring-security.xml?
In my webapp, I want to use the gmail authentication but want to allow only a few users. So I am planning to add all the allowed users to the xml file. The issue is in getting the OpenId. In your case:"AItxxioJSDLFJLjxcksdfjOpAASDFosSSoJ0E".
How do you get your hands on this id?

Post a Comment