In a Spring MVC mobile web application i have a requirement to post a custom messgage to social networking sites (Facebbok, linkedIN, Twitter, Google Plus).
ie If the user purchase a product he can share a predefined message "I purchased the product #134" like that.
First i thought of using simple javascript for sharing but it behaves differently in different mobiles and alse not able to post the predefined message. Another option i found is using spring-social.
Can any body suggest me any alternatives or best method to achieve this.
Any help will be appreciated.
It sounds like your question is "Can Spring Social be used to post custom messages to a user's feed? Or can someone suggest alternatives?"
Addressing the first part of that question, yes Spring Social can do this. The specifics of which vary slightly from social API to social API, but in general you'd inject the API binding into the controller where you handle the purchase of a product and at purchase time use that API binding to post the message.
The gotcha, however, is that the user must authorize your application to post stuff. You can't just arbitrarily post messages to any API without the user's permission. Therefore, prior to that purchase being completed, your app will need to obtain a connection (a Spring Social concept that captures that permission and an access token that represents the permission) by redirecting the user to the FB/Twitter/LinkedIn/etc to prompt the user for permission. Spring Social's ConnectController exists to handle that redirect and to obtain the connection for you.
If you've not already had a look, look at https://github.com/spring-projects/spring-social-samples where I have a handful of examples for Spring Social. Most notably, spring-social-showcase-boot is a new example that takes advantage of Spring Boot's simplified programming model to enable Spring Social to work with Facebook, Twitter, and LinkedIn.
Related
I have to implement a login authentication & user registration feature for my product.
What is the standard and effective way of doing this using spring which would provide standard security (meaning nothing super fancy, but nothing easy to get around as well)?
As this has been done so many times there has to be a standard way to achieve this ?
The implementation should include :
user registration form after registering through g+ or fb etc
login form
storing user profiles, passwords, preferences in some backend
db or system
role management : different roles like admin would have
access to all etc
Standard : that which can put in production.
I found too many things scattered all around the net and although this seems like a broad topic its difficult to get started with especially when this going straight into production and not as a hobby project. The tutorials are always good to get started however are a starting point only. I want to know whats the best route or path that can be used for a product in production.
Securing a web application is not small topic, so you will need to read some tutorials.
You'll find very quick an easy to understand guides (with working examples)
at Spring Boot guides web site.
Spring Boot guides
Securing web application
JPA for your hibernate requirement
If you want going deeper you could read these great tutorials:
Spring security form login
I have developed a web application (spring mvc, spring security) which has a its own login.
Now I want to change the application to login with an another web site's (2nd web) credentials and also need to get some user details from 2nd website.eg: username, user role list for create authentication object.
Please help me to choose best way to do this.
Is openID or oauth2 better for my client application?
OpenID and oAuth are 2 different things.
Lately, Google announced it stops supporting OpenID, so maybe oAuth2.0 is a better option for you.
Note that if you choose oAuth of 3rd-party, you force your users to have account there. for example, if your application (the resource server) uses Facebook for authentication/authorization, your users will HAVE TO have account on Facebook (you want that?!).
If you work with OpenID, your users have several options of where to hold their account...
If you have another 3rd party (or in-house, it does not really matter) authentication server and you want to authenticate your users with it - you have to know what specifications it supports. For example, if it supports oAuth2.0, you can pretty easily configure your app to work with it.
Hope that helps...
If I understand you correctly, you are talking about using Social Networks like Google+, Facebook, to be able to login to your application (This is identity services, where you don't have actual password, but rather access token with limited scope).
For that there is a Spring Social, project, that provides set of abstractions, for such kind of integration, including additional Spring MVC Controllers, needed for proper authentication in this Social Networks.
We're developing an API and a single page application (that is one of more possible future consumers of it).
We already started on the web API, and basically implemented a system very similar to the one John Papa made in his course on pluralsight, named "Building Single Page Apps (SPA) with HTML5, ASP.NET Web API, Knockout and jQuery".
We now need to implement authentication and user managing in this application and need to find the easy way out to implement this in as little time as possible as we are in a hurry.
We realized the SPA template included in the ASP.NET update had very similar features to our needs, but we wonder what the best approach to implement a similar feature in our existing code.
We are novice developers, as you might figure.
Is it possible nstall some packages using the package manager, and voila, a simple membership and OAuth auth option be readily available?
Our use case is that we need to protect some resources on our API based on roles, and that one should be able to log in using a username and password, but also log in using ones facebook, google, or twitter account.
Found an interesting talk regarding the subject here: https://vimeo.com/43603474 named Dominick Baier - Securing ASP.NET Web APIs.
Synopsis: Microsoft’s new framework for writing RESTful web services and web APIs is appropriately enough called ASP.NET Web API. As the name applies, this technology is part of ASP.NET and also inherits its well-known security architecture. But in addition it also supports a number of new extensibility points and a flexible hosting infrastructure outside of IIS. There are a number of ways how to do authentication and authorization in Web API - from Windows to usernames and passwords up to token based authentication and everything in between. This talk explores the various options, and puts special focus on technologies like claims, SAML, OAuth2, Simple Web Tokens and delegation.
We eventually went with the SPA template, doing authentication on the API (separate MVC part).
Then the API would generate a unique token and redirect the user to the front-end with the token in url parameters.
The front-end then needs to send this token on every subsequent request.
Have a look here - Identity Server done by the security experts. This is all you need in one package.
In terms of OAuth, you would need to use Client-Side Web Application flow which the access token is issue immediately to the client and can be used.
I've searched the posts and have not found exactly what I'm looking for pertaining to my question. For example Security ... through AD asks more the question is it wise? My question is this:
We are implementing WCF applications and we are now putting WCF ... I mean ASP.NET Web Api ;)
into our server stack. I want to secure the services by requiring that the user log on to ADS, but if they already have logged on (via network login or other means) then I don't request a login. Rolebased authorization then occurs within the services.
I cannot find good discussions or examples of how I handle ADS authorization especilly through all of the future endpoints (tablet and phone).
My one thought was that the user does a login to ADS and the token then becomes what gets handled for security and rights. So now I'm a little bit concerned about how much coding has to be done to accomplish this. We are looking at FederatedServices to handle this in WCF but there is no such control in this weak API.
So I'm interested in any input or direct me to a great article on this. So far all I see is self-rolled security which our old server has and I do NOT want that crap again.
Oh yes, did I mention our target is single signon throughout our web services??? :)
Best place to start is Dominick's Thinktecture Identity for Web API. It is the de-facto security framework for Web API and supports token based identity.
I am kind of new when it comes to fetching users data from social networks,
i need to extend my application and develop some kindof users data collector module
which in generally will be responsible for fetching data on my application users from social networks.
lets assume i have a user X which sign into my application with his facebook account.
can i fetch data on user X from facebook social graph only when he logged into ( my application/ facebook / both/ when ever i want )?
i was reading a beat on spring social framework, at first look it seems exactly the framework i need for my module.
the thing is that in all the examples i saw that each time fetching is required the user should manually allow it or it might be every time he logged into the application , also when looking at the code i think i saw that for each user a service provider
should be created, all the examples implies that spring social is not ment for background daemon which will fetch users data with minimal users attention.
does spring social can answer my requirements?
there are other java open source options?
You can use Spring Social to access a social network on a user's behalf as long as you have a valid OAuth authentication token for that user. It's up to the provider (e.g. Facebook, Twitter, etc.) to dictate how long the tokens remain valid and how you can get new valid tokens. You'll have to read the provider's documentation to determine if the kind of background access you want is allowed by the provider. If it is allowed by the provider, than you ought to be able to use Spring Social to perform the operations you want to perform.
One example is Facebook. Facebook used to let you ask for a permission called "offline_access" which would result in your application receiving an authentication token for the user that would never expire (or at least wouldn't expire for a long time). They are deprecating this, though. For more information about Facebook specifically check this thread on the Spring Social forums:
http://forum.springsource.org/showthread.php?123685-Facebook-offline_access