Authentication with Spring oAuth2.0

Question

I want to authenticate users on my website by facebook/twitter accounts. But in spring examples, spring ask me to login first, and only after that, when user already has a role, I can connect to facebook and get some data. Even if there are no permissions at facebookData controller ( intercept-url pattern="/**" access="permitAll" ) spring redirects me to the login page.

• Does it mean, that OpenAuth can't be used for authentication anonymouse user?

My spring-security:

    <http use-expressions="true">
        <form-login login-page="/login" />
        <intercept-url pattern="/**" access="permitAll" />
        <logout />
        <custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER" />
    </http>
    <oauth:client id="oauth2ClientFilter" />

<oauth:resource id="facebook" type="authorization_code" client-id="..." client-secret="..." authentication-scheme="query"
    access-token-uri="https://graph.facebook.com/oauth/access_token" user-authorization-uri="https://www.facebook.com/dialog/oauth" token-name="oauth_token" client-authentication-scheme="form" scope="email"/>

<bean id="facebookController" class="org.springframework.security.oauth.examples.tonr.mvc.FacebookController" />

<oauth:rest-template resource="facebook" id="fasebookRestTemplate">
    <property name="messageConverters">
        <list>
            <bean class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter">
                <property name="supportedMediaTypes">
                    <list>
                        <bean class="org.springframework.http.MediaType">
                            <!--facebook sends its json as text/javascript for some reason -->
                            <constructor-arg value="text" />
                            <constructor-arg value="javascript" />
                        </bean>
                        <bean class="org.springframework.http.MediaType">
                            <constructor-arg value="application" />
                            <constructor-arg value="json" />
                        </bean>
                    </list>
                </property>
            </bean>
        </list>
    </property>
</oauth:rest-template>

And facebook controller:

@Autowired
private RestOperations facebookRestTemplate;

@RequestMapping("/facebook/info")
public String photos(Model model) throws Exception {

    ObjectNode resultNode = facebookRestTemplate.getForObject("https://graph.facebook.com/me/friends", ObjectNode.class);
    ArrayNode data = (ArrayNode) resultNode.get("data");
    ArrayList<String> friends = new ArrayList<String>();
    for (JsonNode dataNode : data) {
        friends.add(dataNode.get("name").getTextValue());
    }
    model.addAttribute("friends", friends);
    return "facebook";
}

Answer 1

There is a cool library that does exactly this: https://github.com/socialsignin/spring-social-security

I have successfully made use of it - where all the user has to do is connect to Facebook to get authenticated. To create a new user upon the very first connect, you simply extend SpringSocialSecurityConnectionSignUp , overriding the execute method. The Github page explains nicely what you need to do. It also has some sample projects which are really useful as well.

The project is in Maven. Have fun!