I'm trying to implement OpenId in Spring Security by following the tutorial here , but I can't seem to get it to work. When I test my implementation, it seems to discover the URL for the OpenId provider, but it never redirects me to the login page for that provider. Instead I get returned to my login page with my "You have entered an invalid username or password!" error.
Here's what my logger says when I try to login with, say, coraythan@aol.com:
[qtp760167714-19] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://aol.com/
[qtp760167714-19] WARN org.apache.http.client.protocol.ResponseProcessCookies - Cookie rejected: "[version: 0][name: JSESSIONID][value: C326ACEE663C4C976739D4E51A500DA7][domain: www.aol.com][path: /aol][expiry: null]". Illegal path attribute "/aol". Path of origin: "/"
[qtp760167714-19] WARN org.apache.http.client.protocol.ResponseProcessCookies - Cookie rejected: "[version: 0][name: JSESSIONID][value: D07CE2D83B0A58663C6EAA557FCFAD14][domain: www.aol.com][path: /aol][expiry: null]". Illegal path attribute "/aol". Path of origin: "/"
The second time I try it logs a different thing to the console:
[qtp760167714-21] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://aol.com/
[qtp760167714-21] INFO org.openid4java.util.HttpCache - Returning cached HEAD response for http://aol.com/
[qtp760167714-21] INFO org.openid4java.util.HttpCache - Returning cached GET response for http://aol.com/
[qtp760167714-21] INFO org.openid4java.util.HttpCache - Returning cached GET response for https://api.screenname.aol.com/auth/openid/xrds
Trying it with a myOpenid account give slightly different messages:
[qtp760167714-16] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://coraythan.myopenid.com/
And the second time:
[qtp1540619773-25] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://coraythan.myopenid.com/
[qtp1540619773-25] INFO org.openid4java.util.HttpCache - Returning cached HEAD response for http://coraythan.myopenid.com/
[qtp1540619773-25] INFO org.openid4java.util.HttpCache - Returning cached GET response for http://coraythan.myopenid.com/?xrds=1
Using the "google login" option gives the same sort of issue. It looks identical to what I see from OpenId, but with google stuff instead.
Strangely, trying to login with a yahoo e-mail is even worse because throws a stack trace! The stacktrace seems to be thrown from OpenId4Java (the backing openid implementation used by Spring Security Openid).
For a yahoo e-mail some of what the stack trace looks like is:
[qtp665820578-23] INFO org.openid4java.discovery.Discovery - Starting discovery on URL identifier: http://yahoo.com/
2013-03-02 18:58:27.060:WARN:oejs.ServletHandler:Error for /j_spring_openid_security_check
java.lang.NoClassDefFoundError: org/cyberneko/html/HTMLTagBalancingListener
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:421)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:383)
at org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser.parseDocument(CyberNekoDOMYadisHtmlParser.java:99)
at org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser.getHtmlMeta(CyberNekoDOMYadisHtmlParser.java:42)
at org.openid4java.discovery.yadis.YadisResolver.getHtmlMeta(YadisResolver.java:325)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:453)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:252)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
at org.springframework.security.openid.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:103)
at org.springframework.security.openid.OpenIDAuthenticationFilter.attemptAuthentication(OpenIDAuthenticationFilter.java:123)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[...]
Caused by:
java.lang.ClassNotFoundException: org.cyberneko.html.HTMLTagBalancingListener
at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:50)
at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:244)
at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:230)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:430)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:383)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:791)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:421)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:383)
at org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser.parseDocument(CyberNekoDOMYadisHtmlParser.java:99)
at org.openid4java.discovery.yadis.CyberNekoDOMYadisHtmlParser.getHtmlMeta(CyberNekoDOMYadisHtmlParser.java:42)
at org.openid4java.discovery.yadis.YadisResolver.getHtmlMeta(YadisResolver.java:325)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:453)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:252)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
at org.springframework.security.openid.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:103)
at org.springframework.security.openid.OpenIDAuthenticationFilter.attemptAuthentication(OpenIDAuthenticationFilter.java:123)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
Here's my spring security xml:
<!-- This is where we configure Spring-Security -->
<security:http auto-config="true" access-denied-page="/accessDenied">
<!-- TODO fix all these URLs open to anyone -->
<security:intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/logout" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/accessDenied" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/VAADIN/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- Admin only URLs -->
<security:intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
<!-- Logged in User only URLs -->
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/endpoint/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/game/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:openid-login
login-page="/"
authentication-failure-url="/?error=true"
default-target-url="/game" />
<security:logout
invalidate-session="true"
logout-success-url="/"
logout-url="/logout" />
</security:http>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
<security:authentication-provider
user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the
database -->
<bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder" />
<!-- An in-memory list of users. No need to access an external database
layer. See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
<!-- john's password is admin, while jane;s password is user -->
<security:user-service id="userDetailsService">
<!-- user name is based on the returned OpenID identifier from Google -->
<security:user
name="https://www.google.com/accounts/o8/id?id=AItxxioJSDLFJLjxcksdfjOpAASDFosSSoJ0E"
password="" authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
I have the following servlet mapping and spring security filters in my web.xml:
<!-- spring gets everything else -->
<servlet-mapping>
<servlet-name>springServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
If there's any other information I can provide, I'd be glad to! I really want to get this working, but I'm not sure what I'm doing wrong.
Thank you!
The OpenID sample that comes with Spring Security is probably a better starting point and is customized for both Google and Yahoo.
To get it running, checkout out the source using git
git clone git://github.com/SpringSource/spring-security.git
Then it should be as simple as installing gradle and running the following commands.
cd spring-security
gradle build
cd samples/openid
gradle jettyRun
Pointing your browser at http://localhost:8080/openid
should then give you the OpenID selector UI to choose the provider you want to authenticate with.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.