Multiple Authentication Provider with Spring Security

Nowadays, websites need to provide multiple login options such as a custom login, LDAP login, by facebook connect or openID. For this purpose, Spring Security allows to set up multiple authentication providers.

The basic setup is easy, just add additional authentication providers:

With a custom authentication provider such as the facebook authentication provider, it is sometimes required to setup a custom filter. Reason for this is, that the standard user service checks for the request parameters j_username and j_password. With facebook connect, those parameters are not sent, so some other parameters must be checked, such as an URL or similar.

The facebookAuthenticationFilter is a custom class, best to be extending AbstractAuthenticationProcessingFilter with the defaultFilterProcessUrl set to something like /j_spring_facebook_security_check.

Then change the on-login javascript code of the facebook connect button to redirect to the above specified URL:

Once the users clicks on the facebook connect button, the typical facebook connect user interface pops up. Upon successful login, the page is redirected to the facebook login URL, from there automatically to the standard target page.

Facebook Connect Login with Spring Security

Kadir Pekel already described a procedure to integrate Facebook Connect in a blog entry. So just a quick summary on my experiences:

Dependency on Facebook Java API

Add a dependency to the Facebook Java API. Easy done with Maven:

Spring Security Facebook

Download the code for spring-security-facebook and either integrate that into your project or build it into an own jar.

Spring Config and HTML

The only missing thing is to configure the Facebook Security code in the Spring configuration files and the according HTML code.

  • Adjust the Spring Config to have an additional authentication provider.
  • The Facebook On-Login function must redirect to the configured authentication URL, e.g. /j_spring_security_facebook.

Details on adding these things can be found in my description on Multiple Authentication Providers.

How to: Spring Webflow 2 and Spring Security 3

There have been recent discussions in the Spring Framework group to make Spring Security 3 working with Spring Webflow 2. Enabling it is quite easy when working with Maven, however due to refactoring not all Spring Webflow classes are working (or actually resulting in a ClassNotFoundException).

Add dependency of Spring Webflow and Spring Security with Maven

And the following dependencies (in addition to the spring framework dependencies or whatever you require):

Setup Spring Security

Setup Spring Security as you would set it up usually. For example start with something like this:

Webflow setup and custom class

Your webflow setup might be similar to the following:

And exactly this securityFlowExecutionListener is the problem, as it will run into a runtime error due to classes that could not be found. So the solution for that is quite simple. First define the securityFlowExecutionListener as a reference to a custom bean:

The easiest is to copy the class org.springframework.webflow.security.SecurityFlowExecutionListener and adjust it accordingly so it compiles. For example, take the version from the Spring Jira Issue.

Improve page speed

There are some rumors on the web that page-rank might soon be influenced by the quality of the web page, among other factors also output compression and caching.

Additionally, users are not willing to wait for long responses, so quick delivery of a page is a must-have for any website.

mod_deflate

The Apache Module mod_deflate offers options to compress the http response. Some older browsers do not support compression under certain conditions (such as for css files or other external resources). Also there are problems with pdfs files in internet explorer, as the content is directly sent to the PDF reader instead of decompressing it first.

Enabling mod_deflate is quite easy. Either directly in .htaccess or more generally in httpd.conf. A valid example is the following, see the mod_deflate documentation for further details:

mod_expires

Browser caching of external resources can increase loading time of a web page and decrease server load. Browser caching should be used for static resources such as pictures, css files etc.

Enabling cache expiration can be done with the Apache module mod_expires, either with an entry in .htaccess or the server’s httpd.conf. Cache times need to be entered in seconds:

Iceland in August 2009

Portugal in June 2009

2009