开发者

Spring Security 3.0 Google Apps open id sign in using OpenID4Java

I try to sign in using Google Apps open id with OpenID4Java library.

I discover the user's service using the following code in the consumer class:


        try
        {
            discoveries = consumerManager.discover(identityUrl);
        }
        catch (DiscoveryException e)
        {
            throw new OpenIDConsumerException("Error during discovery", e);
        }

        DiscoveryInformation information = consumerManager.associate(discoveries);
        HttpSession session = req.getSession(true);
        session.setAttribute(DiscoveryInformation.class.getName(), information);
        AuthRequest authReq;

        try
        {
            authReq = consumerManager.authenticate(information, returnToUrl, realm);

            // check for OpenID Simple Registration request needed
            if (attributesByProvider != null || defaultAttributes != null) 
            {
                //I set the attributes needed for getting the email of the user
            }
        }
        catch (Exception e)
        {
            throw new OpenIDConsumerException("Error processing ConumerManager authentication", e);
        }

        return authReq.getDestinationUrl(true);

Next I get the parameters from the http request and in the openid.claimed_id property I receive "http://domain.com/openid?id=...." and if I try to verify the response consumerManager.verify(receivingURL.toString(), openidResp, discovered); an exception is thrown: org.openid4java.discovery.yadis.YadisException: 0x706: GET failed on http://domain.com/openid?id=... : 404:Not Found.

To avoid the exception I tried to modify the parameter list changing the value "http://domain.com/openid?id=...." to "https://www.google.com/a/domain.com/openid?id=...."


 // extract the receiving URL from the HTTP request
        StringBuffer    receivingURL = request.getRequestURL();
        String          queryString  = request.getQueryString();

        // extract the parameters from the authentication response
        // (which comes in as a HTTP request from the OpenID pro开发者_运维技巧vider)
        ParameterList        openidResp = new ParameterList(request.getParameterMap());
        Parameter endPoint = openidResp.getParameter("openid.op_endpoint"); 
        if (endPoint != null && endPoint.getValue().startsWith("https://www.google.com/a/"))
        {           
            Parameter parameter = openidResp.getParameter("openid.claimed_id");
            if (parameter != null)
            {
                String value = "https://www.google.com/a/" + parameter.getValue().replaceAll("http://", "");
                openidResp.set(new Parameter("openid.claimed_id", value));
                queryString = queryString.replaceAll("openid.claimed_id=http%3A%2F%2F", "openid.claimed_id=https%3A%2F%2Fwww.google.com%2Fa%2F");
            }
            parameter = openidResp.getParameter("openid.identity");
            if (parameter != null)
            {
                String value = "https://www.google.com/a/" + parameter.getValue().replaceAll("http://", "");
                openidResp.set(new Parameter("openid.identity", value));
                queryString = queryString.replaceAll("openid.claimed_id=http%3A%2F%2F", "openid.claimed_id=https%3A%2F%2Fwww.google.com%2Fa%2F");
            }
        }

        if ((queryString != null) && (queryString.length() > 0))
        {
            receivingURL.append("?").append(queryString);
        }

        // retrieve the previously stored discovery information
        DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute(DiscoveryInformation.class.getName());

        // verify the response
        VerificationResult verification;

        Map userDetails = new HashMap();

        try
        {
            verification = consumerManager.verify(receivingURL.toString(), openidResp, discovered);

            // check for OpenID Simple Registration request needed
            if (attributesByProvider != null || defaultAttributes != null)  
            {
                //Here I get the value of requested attributes 
            }
        }
        catch (Exception e)
        {
            throw new OpenIDConsumerException("Error verifying openid response", e);
        }

        // examine the verification result and extract the verified identifier
        Identifier                  verified = null;
        if (verification != null)
        {
            verified = verification.getVerifiedId();
        }
        OpenIDAuthenticationToken   returnToken;
        List       attributes = null;

        if (verified != null)
            returnToken =  new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.SUCCESS, verified.getIdentifier(), "some message", attributes);
        else
        {
            Identifier id = discovered.getClaimedIdentifier();
            return new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.FAILURE, id == null ? "Unknown" : id.getIdentifier(), "Verification status message: [" + verification.getStatusMsg() + "]", attributes);
        }

Now the method consumerManager.verify is not throwing anymore exception, but its status is changed to failed. In log the following errors appear


09:46:45,424 ERROR ConsumerManager,http-80-1:1759 - No service element found to match the ClaimedID / OP-endpoint in the assertion.
09:46:45,428 ERROR ConsumerManager,http-80-1:1183 - Discovered information verification failed.

I saw on a forum a similar problem, but the solution was to change consumerManager.verify to consumerManager.verifyNonce. I'm not sure if using this method will not create a security issue. Do you have any idea what should I change to make my open id consumer to work with Google Apps openid?


Google Apps uses a slightly different discovery process than what is supported in the base version of OpenID4Java. There's an add-on library at http://code.google.com/p/step2/ that you might fight useful (and a higher level wrapper at http://code.google.com/p/openid-filter/.)

I'm not aware of anyone that has done Spring Security integration with the modified Step2 classes, but it shouldn't be too hard to modify the code to set up Step2 appropriately. It's built on OpenID4Java and the code to write a relying party is mostly the same.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜