Tuesday, January 15, 2008

Acegi OpenID Support Update

I said I'd work on the OpenID support in Acegi (aka Spring-Security) and I finally did. Really nothing major, I refactored the functionality from the CAS package that we needed in OpenID up into its own existence in the "providers" package. So now there's a now AuthoritiesPopulator and DaoAuthoritiesPopulator impl that uses the UserDetailsService to look up Authorities for a given principal. This functionality was being "borrowed" from the Cas package, now it's been refactored up. For backwards compatibility I've left the original CasAuthoritesPopulator and DaoCasAuthoritiesPopulator items in as subclasses of the new classes. Both of those extensions are empty now though. They should be removed in the future.

Also, I've removed the janrain support as Janrain is dead. Spring-Security will now use openid4java exclusively. It has been updated to version 0.9.3 of that library.

Now the call goes out to Jeff Dwyer to update MyHippoCampus to the latest stuff and put it through its paces. Thanks Jeff!

Next up? Well, I'm going to slap it into one of the samples and do some testing, and then work on promoting it out of the sandbox. Hopefully we can get openId support into the main project soon :)


Andreas Andreou said...

Hi, good to see progress on this.

I (and others) have been wondering if there's any plans / way to have this with the (old 1.0.6) acegi-security modules... or are those completely dropped?

Ray Krueger said...

I just made another post this morning stating that I've pulled the code out of the sandbox and into it's own module. So the code is definitely progressing again.

As for 1.0.6, there aren't any plans to backport the feature as far as I know of. The stuff I'm pushing towards release now isn't greatly different than what was in the sandbox at the time of the 1.0.6 release. The openid code in the sandbox at that time is already being used in a few production applications. You should be able to safely use that codebase.

You should be able to...
svn co https://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/tags/release_1_0_6 acegi-security-1.0.6
cd acegi-security-1.0.6
mvn install
cd sandbox
cd openid
mvn install

That will get you the acegi-security-openid-1.0.6.jar you can use.

Andreas Andreou said...

had to change some versions from 1.0.6-SNAPSHOT to 1.0.6 (in sandbox/pom.xml and sandbox/openid/pom.xml) and it built ok.... thx

Ray Krueger said...

Aaah, yeah the versions in the sandbox sometimes get missed during a release.
Enjoy :)

Ray Krueger said...

Oh, and the post I eluded to in my first comment is this one.

Unknown said...

Hi. I am interested in the OpenID support for Acegi 1.0.6. I realize this is not supported, but is there a simple example of how to configure the application context file for OpenID in 1.0.6? We are looking at whether Acegi makes sense for our application (I am still a novice with Acegi), and the ability to add support for OpenID easily would be a
significant selling point. Thanks.

Ray Krueger said...

I realize your talking about 1.0.6 but Luke Taylor put together a sample app in the spring-security trunk you should have a look at.

The major difference there is that the 2.0 codebase uses the OpenId4JavaConsumer by default, in 1.0.6 you'll have to wire it in manually to the filter.

Unknown said...

Thanks for your help. I was indeed looking for a 1.0.6-specific example, as I would like to check that I am in fact wiring it in correctly. At any rate, I gather that I need to set up an OpenIDAuthenticationProvider bean with an ssoAuthoritiesPopulator property. The sample app seems to use DaoAuthoritiesPopulator, which is not in 1.0.6. I have seen references to DaoCasAuthoritiesPopulator. Can we use this latter class, with our own userDetailsService, even if we are not running Cas, or will we need to implement our own AuthoritiesPopulator?

Thanks again.

Ray Krueger said...

Yeah that stuff was refactored so it didn't use stuff from the CAS package. In that version you have to use the CasAuthoritiesPopulator...

jdwyah said...

Just wanted to post a quick note to let you know that www.MyHippocampus.com is indeed using the new Spring Security OpenID support. Thanks for all the hard work

Better yet, OpenID w/ Spring Security is part of the open-source ToCollege.net project http://code.google.com/p/tocollege-net/ and the implementation is covered in the book that goes along with ToCollege.net.

Check it out!

Churk Leung said...

Is there any plan for implementing Requires and optional request parameters? Because without having those it is very hard to customize for authorization. Right now it is like URL for openid, and on the Openid provide return yes or no. And that is it, everyone gets the same level of authorization. If we have require parameters, we can then see what else we can authorize on.

Unknown said...


I am developing an application on appfuse 1.9.4, which brings acegi-security 1.0.2

I read your and you could implement openid in acegi-security-1.0.6

I am new to spring, you could give me an example of how to do this? How could you implement it? or Where I can download your code to take it as a guide?

I await your response.