Many applications using Spring Security for authentication will need to

• Ask users to sign up using a username and password.
• Create their own user details store and data access objects
• Provide account management (eg. forgotten password functionality)
• Provide access control for protected resources

For applications which already use spring-social to connect with external authenticated apis (eg. Facebook, Twitter) , SocialSignIn's spring-social-security module removes these authentication concerns by delegating authentication in Spring Security via spring-social to the third party api. Authenticating your website users via spring-social api providers means:

• No need for users to remember another password for another site.
• No need for developers to create their own user details store, as the store used by spring-social is used instead.
• No need for developers to provide account management as this is provided by the third party api.
• Provider-specific roles are granted to users on the basis of their connected providers, allowing fine-grained permissioning model.

For simple "Hello World" apps demonstrating spring-social-security see:

• https://github.com/socialsignin/spring-social-security-demo ( Basic integration with core spring-social )

• https://github.com/socialsignin/socialsignin-showcase ( Using SocialSignin provider modules for auto-registration of providers and API abstraction layer, using default local user account domain model)

• https://github.com/michaellavelle/socialsignin-showcase ( Using SocialSignin provider modules for auto-registration of providers and API abstraction layer, using custom local user account domain model )

• https://github.com/socialsignin/socialsignin-roo-showcase ( Roo project with SocialSignin modules and Roo-backed persistence for UserConnections )

Also see JavaDoc for Spring Social Security for API docs.

• Add repository and dependency to your project

<repositories>
   <repository>
	<id>opensourceagility-releases</id>
	<url>http://repo.opensourceagility.com/releases</url>
   </repository>
</repositories>

  	<dependency>
			<groupId>org.socialsignin</groupId>
			<artifactId>spring-social-security</artifactId>
			<version>1.0.2.RELEASE</version>
	</dependency>

• Component-scan for spring-social-security components in both your application context and in your mvc context

	<context:component-scan base-package="org.socialsignin.springsocial.security" />

• Configure your spring security setup with a SpringSocialSecurityAuthenticationFilter in place of a form-login filter

 <http auto-config="false" 
    	<custom-filter position="FORM_LOGIN_FILTER" ref="springSocialSecurityAuthenticationFilter" />

• Create a page in your webapp ( example ) which contains all the socialsignin buttons for login and which submits to spring-social's ProviderSignInController ( default urls are "/signup/[providerid]" ). Create an entry point in your security configuration for this page and set as the entry-point-ref on your security config.

<bean id="springSocialSecurityEntryPoint" 
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
     <property name="loginFormUrl" value="/sociallogin"/>
</bean>

 <http auto-config="false" entry-point-ref="springSocialSecurityEntryPoint" 
    	<custom-filter position="FORM_LOGIN_FILTER" ref="springSocialSecurityAuthenticationFilter" />

• Configure ProviderSignInController with "/authenticate" as the postSignInUrl (the default url for the SpringSocialSecurityAuthenticationFilter) and set its signUpUrl to be "/signup" (the default url of SpringSocialSecuritySignUpController)

<bean class="org.springframework.social.connect.web.ProviderSignInController" >
    	<property name="signUpUrl" value="/signup" />
        <property name="postSignInUrl" value="/authenticate" />
   </bean>

• Create a view in your webapp handles the choice of username by a user - this view will be served by SpringSocialSecuritySignUpController under default url of "/signup" and will need to post username back to this "/signup" url ( example

• Set the following environment properties in your application

socialsignin.signUpView=(name of your choose username view)
socialsignin.defaultAuthenticationSuccessUrl=(url to send users after login)

• Optionally, configure your UsersConnectionRepository with SpringSocialSecurityConnectionSignUp to allow user local account and username selection to happen implicitly where possible, based on connection details from 3rd party provider

<bean id="usersConnectionRepository"
		class="org.springframework.social.connect.jdbc.JdbcUsersConnectionRepository">
		<constructor-arg ref="dataSource" />
		<constructor-arg ref="connectionFactoryRegistry" />
		<constructor-arg ref="textEncryptor" />
		<property name="connectionSignUp" ref="springSocialSecurityConnectionSignUp" /> 
</bean>

• Spring Social's ConnectController allow users who have logged in with one provider to connect with an another 3rd-party provider. spring-social-security peforms two functions to support this use-case with ConnectController through the use of ConnectInterceptors. These interceptors

• Ensure that no other local user has connected using this provider account previously, as we use 3rd party connection as a means of uniquely identifying a user.

• Amend the user's authorisation so they are granted provider-specific roles according to the set of providers they have connected with.

• To enable this functionality

• Create a subclass of SpringSocialSecurityConnectInterceptor for each provider you wish your users to be able to connect with once they are logged in.

public class TwitterConnectInterceptor extends
		SpringSocialSecurityConnectInterceptor<Twitter> {

}

• Register these connect interceptors with ConnectController

• To protect resources in your application, simply add intercept-urls to your security config as normal

		<intercept-url pattern="/protected/*" access="hasRole('ROLE_USER')" />

• If you wish to take advantage of the provider-specific roles that are granted to users of a spring-social-security app, you can protect urls with rules such as

		<intercept-url pattern="/protected/twitter" access="hasRole('ROLE_USER_TWITTER')" />

• To enable provider-specific access denied handling, add SpringSocialSecurityAccessDeniedHandler to your security setup

        <access-denied-handler ref="springSocialSecurityAccessDeniedHandler"/>

This handler will attempt to determine a provider which the user needs to connect with to be granted access to provider-protected resources, and if this can be determined, the user with be directed to the spring-social provider-specific connection view. To set a default access denied url in case this can't be determined, set the following property in your application.

socialsignin.defaultAccessDeniedUrl=