Dealing with OpenId(5)Spring Security and OpenId Work together

最新推荐文章于 2025-12-17 19:02:04 发布
原创 最新推荐文章于 2025-12-17 19:02:04 发布 · 182 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#java #数据库 #git

Dealing with OpenId(5)Spring Security and OpenId Work together

1. The Spring Security Version
<properties>
<spring.version>3.1.1.RELEASE</spring.version>
<spring-security.version>3.1.0.M2</spring-security.version>
</properties>
...snip...
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.openid4java</groupId>
<artifactId>openid4java-nodeps</artifactId>
<version>0.9.6</version>
</dependency>

2. My spring security configuration file security-context.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:authentication-manager>
<security:authentication-provider ref="openidAuthenticationProvider" />
<security:authentication-provider ref="authenticationProvider" />
</security:authentication-manager>
<bean id="openidAuthenticationProvider" class="org.springframework.security.openid.OpenIDAuthenticationProvider">
<property name="userDetailsService" ref="registeringUserService" />
</bean>
<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="registeringUserService" />
</bean>
<security:http pattern="/openidlogin.jsp*" security="none"/>
<security:http pattern="/images/*" security="none" />
<security:http pattern="/css/*" security="none" />
<security:http pattern="/js/*" security="none" />
<security:debug />
<security:http access-denied-page="/denied.jsp" use-expressions="true">
<security:form-login login-processing-url="/j_spring_security_check" login-page="/openidlogin.jsp" authentication-failure-url="/openidlogin.jsp?login_error=true"/>
<security:intercept-url pattern="/index.jsp" access="permitAll" />
<security:intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/super/**" access="hasRole('ROLE_SUPERVISOR')" />
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout
invalidate-session="true"
logout-success-url="/openidlogin.jsp"
logout-url="/j_spring_security_logout"/>
<security:openid-login
user-service-ref="registeringUserService"
authentication-failure-url="/openidlogin.jsp?login_error=true"
default-target-url="/index.jsp">
<security:attribute-exchange identifier-match="https://www.google.com/.*">
<security:openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" />
<security:openid-attribute name="firstName" type="http://axschema.org/namePerson/first" required="true" />
<security:openid-attribute name="lastName" type="http://axschema.org/namePerson/last" required="true" />
</security:attribute-exchange>
<security:attribute-exchange identifier-match=".*yahoo.com.*">
<security:openid-attribute name="email" type="http://axschema.org/contact/email" required="true"/>
<security:openid-attribute name="fullname" type="http://axschema.org/namePerson" required="true" />
</security:attribute-exchange>
<security:attribute-exchange identifier-match=".*myopenid.com.*">
<security:openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true"/>
<security:openid-attribute name="fullname" type="http://schema.openid.net/namePerson" required="true" />
</security:attribute-exchange>
</security:openid-login>
</security:http>

<bean id="registeringUserService" class="com.sillycat.easyopenidgoogle.service.OpenIdUserDetailsService" />

3. My java source code for load the userdetail by username and email from openid
I just add some mock codes here, if I want, I can get to a database or XML file to do that.
package com.sillycat.easyopenidgoogle.service;

import java.util.HashMap;
import java.util.List;
import java.util.Map;

import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.openid.OpenIDAttribute;
import org.springframework.security.openid.OpenIDAuthenticationToken;

import com.sillycat.easyopenidgoogle.model.GoogleUser;
import com.sillycat.easyopenidgoogle.model.UserAuthority;
import com.sillycat.easyopenidgoogle.model.UserRole;

public class OpenIdUserDetailsService implements UserDetailsService,
AuthenticationUserDetailsService<OpenIDAuthenticationToken> {

private final Map<String, GoogleUser> registeredUsers = new HashMap<String, GoogleUser>();

public UserDetails loadUserDetails(OpenIDAuthenticationToken openIDToken)
throws UsernameNotFoundException {
String id = openIDToken.getIdentityUrl();
System.out.println("identy = " + id);
String email = null;
String firstName = null;
String lastName = null;
String fullName = null;
List<OpenIDAttribute> attributes = openIDToken.getAttributes();
for (OpenIDAttribute attribute : attributes) {
if (attribute.getName().equals("email")) {
email = attribute.getValues().get(0);
System.out.println("email = " + email);
}
if (attribute.getName().equals("firstName")) {
firstName = attribute.getValues().get(0);
System.out.println("firstName = " + firstName);
}
if (attribute.getName().equals("lastName")) {
lastName = attribute.getValues().get(0);
System.out.println("lastName = " + lastName);
}
if (attribute.getName().equals("fullname")) {
fullName = attribute.getValues().get(0);
System.out.println("fullName = " + fullName);
}
}
GoogleUser user = new GoogleUser();
user.setUsername(email);

UserRole userRole = new UserRole();
UserAuthority userAuthority = new UserAuthority();
userAuthority.setAuthorityAlias("Access the main page!");
userAuthority.setAuthorityName("ROLE_USER");
userRole.getRoleAuthorities().add(userAuthority);
user.getUserRoles().add(userRole);
registeredUsers.put(id, user);
return user;
}

public UserDetails loadUserByUsername(String id)
throws UsernameNotFoundException {
GoogleUser user = registeredUsers.get(id);
if (id == null) {
throw new UsernameNotFoundException(id);
}
if (user == null) {
user = new GoogleUser();
user.setUsername(id);
user.setPassword("111111");

UserRole userRole = new UserRole();
UserAuthority userAuthority = new UserAuthority();
userAuthority.setAuthorityAlias("Access the main page!");
userAuthority.setAuthorityName("ROLE_USER");
userRole.getRoleAuthorities().add(userAuthority);
user.getUserRoles().add(userRole);
}
return user;
}
}

That is it. I only need 2 forms to login:
<form name="f1" action="j_spring_openid_security_check" method="POST">
<table>
<tr>
<td>OpenID Identity:</td>
<td><input type='text' name='openid_identifier' value='https://www.google.com/accounts/o8/id'/></td></tr>
<tr><td colspan='2'><input name="submit" type="submit"></td></tr>
<tr><td colspan='2'><input name="reset" type="reset"></td></tr>
</table>
</form>

<form name="f2" action="j_spring_security_check" method="POST">
<table>
<tr>
<td>User Name:</td>
<td><input id="j_username" type='text' name='j_username' style="width:150px" /></td>
</tr>
<tr>
<td>Password: </td>
<td><input id="j_password" type='password' name='j_password' style="width:150px" /></td>
</tr>
<tr><td colspan='2'><input name="submit" type="submit"></td></tr>
<tr><td colspan='2'><input name="reset" type="reset"></td></tr>
</table>
</form>

references:
http://http.git.springsource.org/greenhouse/greenhouse.git
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity-single.html#ns-openid
http://forum.springsource.org/showthread.php?113699-How-to-have-both-an-openid-login-and-a-form-login-side-by-side
处理不均衡数据(Dealing with imbalanced data)简洁版
Microstrong
05-01 2288
(1)想办法获取更多的数据。前段时期的数据,较多呈现红色部分的数据较少呈现蓝色部分的数据;后半时期,产生数据的趋势发生变化,较多呈现蓝色部分数据较少呈现红色部分数据。所以,想办法获取更多的数据。(2)换个评判方式通常我们会用精度(Accuracy)和错误率(error)来评价模型的好坏。这两个指标在数据不均衡时,均不能客观的衡量模型。解决办法:通过Confusion Matrix,计算查准率(Pr...
Spring Security 学习之OpenID认证
weixin_34062469的博客
02-13 1099
一、前言OpenID是一个以用户为中心的数字身份识别框架,它具有开放、分散、自由等特性.登录一个支持 OpenID 的网站非常简单(即便你是第一次访问这个网站也是一样)。 只需要输入你注册好的 OpenID 用户名,然后你登录的网站会跳转到你的 OpenID 服务网站, 在你的 OpenID 服务网站输入密码(或者其它需要填写的信息)验证通过后, 你会回到登录的网站并且已经成...
基于Spring Boot,Security和JWB的REST接口的无状态认证
西涛offbye-移动全栈技术博客
08-11 6594
Stateless Spring Security Part 2: Stateless Authentication Posted on October 6, 2014 by Robbert van Waveren This second part of the Stateless Spring Security series is about exploring me
Data Security and Privacy数据安全与隐私重要知识点
weixin_45012798的博客
08-16 5013
因为Symmetric Key Encryption Scheme比Public Key Encryption Scheme更加高效,从长远来看可以更快加密Message。为什么不直接使用Public Key Encryption Scheme对Message进行加密,而要用两种模式混合在一起?最常用:AES (Advanced Encryption Standard)后三个过程与Security有关。
Springsecurity之模块描述
weixin_34415923的博客
09-01 386
2019独角兽企业重金招聘Python工程师标准>>> ...
在Html5中仿Matlab自定义色带生成实践
夜郎King的博客
03-10 7997
文章主要讲解如何在Html5中生成类似Matlab的色带应用,通过本文您可以熟悉并掌握生成方法,为下一步进行gis的空间自定义分类制图打下颜色制图的基础。
Spring官方文档(中文版!!!)
热门推荐
li1376417539的博客
03-18 9万+
本文档是对spring官方文档的解读,原文档参见Spring官方文档 ,本人只是翻译和整理,由于水平有限,部分解读可能不正确,欢迎提出更好的意见和建议或者与我一起完成本次挑战!网页版移步我的临时网页 Git传送门 1 Spring综述 1.1 jdk环境依赖 从Spring Framework 5.1开始,Spring需要JDK 8+ (Java SE 8+),并提供对JDK 11 LTS的开箱...
学习 iOS Application Security 需要注意的一些点
Meditation
10-17 3444
http://highaltitudehacks.com/ 0. 基础环境 iPhone 5s 64bit iOS 8.1 已越狱 1. mobileTerminal 使用 源 http://cydia.angelxwind.net 的版本;vim 版本7.1-3p,不要升级到7.3-1; 2. dyld: Library not loaded: /usr/lib/libpcre.0.dyl...
Spring 框架参考文档()-Integration之Remoting and web services using Spring
xiangjai的专栏
12-31 1401
Spring 框架参考文档()-The Web之WebSocket 支持 Part VI. Integration This part of the reference documentation covers the Spring Framework’s integration with a number of Java EE (and re
building restful web services with spring 5 2e
04-27
Building RESTful Web Services with Spring 5 – Second Edition: Leverage the power of Spring 5.0, Java SE 9, and Spring Boot 2.0 Find out how to implement the REST architecture to build resilient ...
Dealing with stress.doc
03-09
"Dealing With Stress" 这个主题的工作坊就是为此而设,旨在帮助参与者理解和管理他们面临的压力。 首先,我们要理解压力的来源。在大学生活中,学生面临的主要压力源包括: 1. **学术压力**:大学课程繁重,报告...
八年级英语Dealing with troublePPT课件.pptx
10-07
这篇PPT课件是针对八年级英语教学的内容,主题为“应对困难”(Dealing with trouble)。通过一系列的填空练习和情景模拟,旨在帮助学生掌握如何在不同情况下正确处理问题,尤其是面对紧急情况时的应对策略。以下是...
An appraisal of some recent evidence dealing with the mental health of black children and adolescents, and its implications for school psychologists and guidance counselors
06-29
An appraisal of some recent evidence dealing with the mental health of black children and adolescents, and its implications for school psychologists and guidance counselors AN APPRAISAL OF SOME ...
Dealing with Undesirable Outputs in DEA: A Slacks-based Measure(SBM) Approach
04-10
在进行数据包络分析(Data Envelopment Analysis, DEA)研究时,经常需要面对的问题之一是如何处理非期望产出(undesirable outputs)。传统DEA模型在处理生产效率分析时通常假设决策单元(Decision Making Units, ...
XML Schema 日期/时间 数据类型
csbysj2020的博客
12-11 551
datedateTimetimegYeargYearMonthgDaygMonthgMonthDayduration这些数据类型分别表示不同的日期和时间范围,适用于不同的应用场景。本文介绍了 XML Schema 中日期/时间数据类型的相关概念、类型、格式以及注意事项。通过了解这些知识,有助于我们在 XML 文档中正确地表示日期和时间数据,提高数据的一致性和准确性。
车载系统应用开发集成系统API
yangyulong0622的博客
12-16 195
车载开发中,为了快速迭代常将系统应用剥离为普通应用开发,但调用系统API时反射效率低。解决方法是通过集成framework.jar,但会遇到编译报错问题。通用方案是在gradle中配置bootstrapClasspath引入jar包。当使用高版本JDK时,必须强制指定模块使用JDK8并关闭lint检查才能生效。关键步骤:先加载jar包到工程,再设置模块JDK版本为1.8。
JAVA设计模式之观察者模式
最新发布
pingguocu3的博客
12-17 250
在我们开发的过程中,经常会遇到一些当什么什么事情发生的时候,然后做什么什么事。比如某种商品的物价上涨时会导致部分商家高兴,而消费者伤心。平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。著作权归作者所有,转载或内容合作请联系作者。
MyBatis-Plus 单元测试中 Lambda Mock 的坑与解决
qq_43657722的博客
12-17 1088
本文总结了 MyBatis-Plus 在单元测试中使用 LambdaWrapper 时常见的 Lambda 缓存异常问题,分析其根源在于 Mock 环境缺失真实上下文。通过精简示例说明为何 any(LambdaWrapper.class) 易出错,并给出使用 any() 的稳定解决方案,强调单元测试应聚焦业务逻辑、避免过度关注 SQL 与 Lambda 细节。
命令执行漏洞 (RCE) 渗透测试实战指南
weixin_45631123的博客
12-15 322
Burp Suite 或 OWASP ZAP 抓包工具、授权测试环境。:Burp Collaborator 或公网DNS服务器。:Java Web应用,可注入Java代码。:安装ysoserial工具、Java环境。:安装Commix、Python3环境。:识别表单输入点(如登录框):无回显但命令执行成功时。:确认RCE漏洞存在。
For security constraints with url
08-24
### URL Security Constraints and Best Practices When addressing security constraints related to URLs, it's essential to consider several aspects, including how URLs are structured, how they interact with web applications, and the potential vulnerabilities they might expose. Below is a detailed overview of key constraints and best practices: #### URL Structure and Redirection One of the best practices for URL management is to ensure that your web framework gracefully handles trailing slashes. Most web frameworks provide an option to redirect users to either the trailed or untrailed version of a URL. Activating this feature helps maintain a consistent URL structure, which can prevent duplicate content issues and improve SEO. Additionally, using query strings for filtering and pagination is a recommended practice, as it allows for dynamic content delivery without altering the main URL structure [^1]. #### Security Concerns URLs can also introduce security concerns, particularly when dealing with cookies and session management. One significant issue is ambient authority, where cookies can be misused for authentication purposes. This problem arises because the naming resource and the authentication process can be decoupled, leading to potential security breaches. Another critical concern is session stealing, where an attacker can hijack a user's session by obtaining their session cookie. To mitigate these risks, it's crucial to implement encryption and integrity protection mechanisms, such as HTTPS, to secure the communication between the client and server [^2]. #### Input Validation and Sanitization Another important aspect of URL security is input validation and sanitization. When constructing URLs, especially those that include user-provided data, it's vital to validate and sanitize any inputs to prevent injection attacks, such as SQL injection or cross-site scripting (XSS). Proper validation ensures that only expected and safe data is processed, reducing the risk of malicious activity. #### Secure Query Parameters When using query strings for filtering and pagination, it's essential to handle the parameters securely. Highly separated fields, which are fields with a high degree of uniqueness, can be optimized for query performance by indexing them independently. However, it's important to balance this optimization with the potential impact on table writing efficiency, as too many indexes can slow down write operations. For large tables, following best practices for indexing, such as those provided by iDB Cloud, can help maintain optimal performance while ensuring security [^4]. #### Historical Context and SQL Development Understanding the historical context of SQL development can also provide insights into modern security practices. Oracle, the first commercially available SQL DBMS, played a significant role in shaping the SQL landscape. Early implementations of SQL were far from Codd's original ideas, and key features like referential integrity and nested queries in the `FROM` clause took many years to become standard. This evolution highlights the importance of staying updated with the latest security standards and best practices, as the technology and threats continue to evolve [^5]. ### Code Example: Secure URL Handling in a Web Application Here is an example of how to handle URL redirection and query string parameters securely in a web application using Python and Flask: ```python from flask import Flask, redirect, url_for, request, escape app = Flask(__name__) @app.route('/redirect') def handle_redirect(): # Safely redirect to a URL with a trailing slash if not request.path.endswith('/'): return redirect(url_for(request.endpoint, **request.view_args), code=301) return "Redirected successfully" @app.route('/search') def search(): # Securely handle query parameters query = escape(request.args.get('q', '')) page = int(escape(request.args.get('page', '1'))) # Perform search logic here return f"Searching for '{query}' on page {page}" if __name__ == '__main__': app.run(ssl_context='adhoc') # Enable HTTPS for secure communication ``` In this example, the `handle_redirect` function ensures that URLs are consistently formatted with a trailing slash, while the `search` function securely processes query parameters using the `escape` function to prevent XSS attacks. The application also runs with an ad-hoc SSL context to enable HTTPS, which is crucial for securing the communication between the client and server. ### Summary By following best practices such as ensuring consistent URL structures, validating and sanitizing inputs, handling query parameters securely, and implementing encryption and integrity protection, developers can significantly enhance the security of their web applications. Staying informed about the historical context and evolving standards in web development can also help in making informed decisions about security practices.
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值