"Seegrid will be due for a migration to confluence on the 1st of August. Any update on or after the 1st of August will NOT be migrated"

Managing OAuth2 Authentication (for Google)


See - https://twiki.auscope.org/wiki/Grid/AuScopePortalCoreOAuth2

Setting up VGL to use Google OAuth2 (authentication)

You'll need to be granted access to the VGL project via the google developers console - http://console.developers.google.com/ for any of this to work.

In the google developers console
  1. Enable Google+ API (under APIs and Auth)
  2. Under the APIs & Auth Credentials section:
    1. Under OAuth - copy down the client secret/id (you'll need this for your VGL OAuth beans)
    2. Under OAuth - edit settings enter in redirect URLs for the domains you wish to use (this is a whitelist).
  3. Under the APIs and Auth Consent Page enter in appropriate names, descriptions and logos to brand the consent page.
In the applicationContext-security.xml
  1. Create an instance of org.auscope.portal.core.server.security.oauth2.GoogleOAuth2ServiceProperties
    1. Enter clientID/clientSecret as discovered in the google console
    2. Setup a redirect URI as an FQDN + Path
  2. Create an instance of org.auscope.portal.core.server.security.oauth2.GoogleOAuth2UserDetailsLoader
    1. This will automatically extract the user details into PortalUser instances
    2. Just setup a default role to be assigned to all authenticated users
    3. Optionally setup an in memory map of additional user roles OR extend this class to lookup additional user roles from a store (eg: DB)
  3. Create an instance of com.racquettrack.security.oauth.DefaultOAuth2UserInfoProvider
    1. Shouldn't require extension unless you want override the communications between VGL and Google during OAuth token exchange
  4. Pull all the above instances together with a com.racquettrack.security.oauth.OAuth2UserDetailsService
  5. At this point you can just create the following beans to hook into spring security:
<http entry-point-ref="oAuth2EntryPoint">
    <intercept-url pattern="/secure/*" access="ROLE_USER"/>
    <custom-filter ref="oauth2AuthFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
    <logout logout-success-url="/gmap.html"/>

<beans:bean id="oAuth2EntryPoint" class="com.racquettrack.security.oauth.OAuth2AuthenticationEntryPoint">
    <beans:property name="oAuth2ServiceProperties" ref="oauth2ServiceProperties"/>

<beans:bean id="oauth2AuthFilter" class="com.racquettrack.security.oauth.OAuth2AuthenticationFilter">
    <beans:constructor-arg name="defaultFilterProcessesUrl" value="/oauth/callback"/>
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="oAuth2ServiceProperties" ref="oauth2ServiceProperties"/>

<beans:bean id="oauth2AuthenticationProvider" class="com.racquettrack.security.oauth.OAuth2AuthenticationProvider">
    <beans:property name="authenticatedUserDetailsService" ref="oAuth2UserDetailsService"/>
    <beans:property name="oAuth2ServiceProperties" ref="oauth2ServiceProperties"/>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="oauth2AuthenticationProvider">

Accessing PortalUser in Controllers

To enable easy access to the Authenticated PortalUser object in controller mapped methods there is an annotation provided by Spring: @AuthenticationPrincipal

public ModelAndView myHandler(@AuthenticationPrincipal PortalUser user) {
        if (user != null) {

To enable this annotation you will need to add the following to your annotationDispatcher-servlet.xml

    <bean class="org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver"/>    

-- JoshVote - 23 Jul 2014
Topic revision: r1 - 23 Jul 2014, JoshVote

Current license: All material on this collaboration platform is licensed under a Creative Commons Attribution 3.0 Australia Licence (CC BY 3.0).