Anil Saldhana is the Lead Identity Management Architect at JBoss. He blogs at http://anil-identity.blogspot.com Anil has posted 16 posts at DZone. You can read more from them at their website. View Full User Profile

JBossAS7: Social Login using Facebook Connect / Google OpenID Authentication

03.20.2012
| 6257 views |
  • submit to reddit

Background

There is no denying that Social Media is growing by leaps and bounds. The concept of social login has prevailed.  Facebook and Google have turned out to be the holders of user information that can be used to be the secure gateway into your web applications. Facebook / Google Users are part of what is called "Consumer Identity".

In this article, we will look at a simple web application as part of the PicketLink Social Project, that can help you visualize the addition of Facebook Connect / Google Authentication to your web applications.  We will use the fast, free and awesome JBoss Application Server v7 as the runtime.

What is needed?

You will need to get hold of

  • JBoss Application Server v7.1 (at the time of writing, v7.1.1.Final was the latest). 
  • Use the self contained picketlink-reg.war.
  • If you desire Facebook Integration for your application, then create a test app on the Facebook Developer Console.

Steps to follow

  1. Follow the JBoss AS7 user guide to extract the server.  It is mainly just unzipping a zip archive.
  2. Now copy the attached picketlink-reg.war to standalone/deployments directory of JBoss AS7.
  3. You need to make some configuration changes to standalone/configuration/standalone.xml file to add a security domain as well as a bunch of system properties.
  4. Start JBossAS7 in the standalone mode. 
  5. Test the Web Application.

 

Configuration Changes to be made in standalone.xml

TIP:  I attached my "standalone.xml" to this article.

Define a security domain called "external_auth"

<subsystem xmlns="urn:jboss:domain:security:1.1">
            <security-domains>
                <security-domain name="external_auth" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.social.auth.ExternalAuthLoginModule" flag="required"/>
                    </authentication>
                </security-domain>
                <security-domain name="other" cache-type="default">

 What I have done is inserted a block of security domain configuration inside the security configuration and before the security domain "other".

 

Define a bunch of system properties.

</extensions>

<system-properties>
        <property name="CLIENT_ID" value="Insert_your_client_id"/>
        <property name="CLIENT_SECRET" value="Insert_your_client_secret"/>
</system-properties>

  <management>
        <security-realms>

We have defined a block for system properties, at the end of the block for extensions and the beginning of management.  Please have a look at the wiki article on JBoss AS7 System Properties, for more information.


Note that I am assuming that your app is deployed on localhost.  If the domain is different, then you have to define an additional system property called "RETURN_URL" that gives a value such as "http://thedomain/picketlink-reg/auth"  (replace thedomain with whatever value you want).

How to test the web application?

You can go to http://localhost:8080/picketlink-reg/

Now you can login either using Facebook Connect or Google Authentication.

Note that the attached web application just outputs the name of the authenticated user and the email address.  You can get more information if desired by changing the configuration settings.

What changes do we need to make a web application use Facebook Connect or Google Authentication as its Authentication Mechanism?

You will need to configure the ExternalAuthenticator in WEB-INF/jboss-web.xml   Look at how the attached picketlink-reg.war application does it.

Attachments

picketlink-reg.war is available at http://dl.dropbox.com/u/20060733/picketlink-reg.war

My standalone.xml is attached to this article.  You will need to change the client id and client secret.

 

How do I get hold of the authenticated principal?

In your web code, you can always do httprequest.getUserPrincipal() to get an instance of the java.security.Principal that will be a FacebookPrincipal or OpenIDPrincipal with the relevant information inside.

Facebook Principal is described in the code: http://anonsvn.jboss.org/repos/picketlink/social/trunk/facebook/src/main/java/org/picketlink/social/facebook/FacebookPrincipal.java

OpenIdPrincipal is described in the code: http://anonsvn.jboss.org/repos/picketlink/social/trunk/openid/src/main/java/org/picketlink/social/openid/OpenIdPrincipal.java

This principal instance is also available from the httpsession under the key: PRINCIPAL

Take a look in the httpsession object for the various attributes that are stored.

 

Troubleshooting

 In the Facebook Developer console where your app settings exist,  Edit Settings ->WebSite >

  • Site URL:  Specify the url of your web application.
  • Site Domain:  domain of your web application. (If testing locally, you can specify localhost)

Demo

I have the same web application running in Red Hat's OpenShift PaaS environment. OpenShift Express is a free cloud service that is able to host Java Web Applications.

Demo Application is at http://sso-anilsaldhana.rhcloud.com/picketlink-reg/

 

Legacy
Article Resources: 
Published at DZone with permission of its author, Anil Saldhana.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)