0

I am using spring-security-facebook:0.10.4 to integrate Facebook authentication for SSO in our Grails application. One of our requirements is to allow a user to turn SSO on or off (via some control in our app). If it's turned on, then we want to use the spring-security-facebook filter for authentication. If SSO is turned off on our app, we want to use the default spring security filter for authentication (regardless of whether a Facebook cookie/auth token exists or not).

I'm not sure how to configure the spring-security-facebook plugin to allow for this use case. Right now, I have the Transparent cookie based authorization (FacebookAuthCookieTransparentFilter) working, and it works great. The problem is that it will try to authenticate through Facebook on every page. I can't see a way that I can control this so I can check to see if a user has turned on SSO in our app, and only use the Facebook auth filter if SSO is turned on.

I'm thinking I have to use Manual cookie based authorization (FacebookAuthCookieDirectFilter) instead, but I don’t know how to configure it. The documentation (located here... http://splix.github.com/grails-spring-security-facebook/guide/3%20Usage.html#3.4%20Client%20Side%20Authorization) says... "Same as FacebookAuthCookieTransparentFilter, it parse Facebook cookie, but only for specified url. Like username/password filter from spring-security-core or similar. After successful authorization it can redirect user to specified url."

Is Manual cookie based authorization the way to go for my requirement? How can I configure it to work only for users who have turned on SSO in our app? How do I configure it to “…redirect user to specified url.”?

Igor Artamonov
  • 35,450
  • 10
  • 82
  • 113
aschune
  • 3
  • 1

1 Answers1

0

FacebookAuthCookieDirectFilter is applying cookie based authorization to specified URL only. This URL is configured at grails.plugins.springsecurity.facebook.filter.processUrl, by default it's /j_spring_security_facebook_check

First of all you should Configure the plugin to use facebookAuthCookieDirectFilter, by adding to Config.groovy:

grails.plugins.springsecurity.facebook.filter.type='cookieDirect'

Then use Facebook Javascript SDK, to login user on client side. After authorization redirect user to /j_spring_security_facebook_check, like:

<facebookAuth:init>
   FB.Event.subscribe('auth.login', function() {
      window.location.href = '/j_spring_security_facebook_check'
   });
</facebookAuth:init>

<g:javascript> 
   $('#fbloginbutton').click(function() {
       FB.login();
   });
</g:javascript>
Igor Artamonov
  • 35,450
  • 10
  • 82
  • 113
  • This works great for logging in to Facebook from my app for the first time. But, if I'm already logged into Facebook on another tab, then go to my app and click on the facebookAuth:connect button... the Facebook auth window flashes by, but my app doesn't do anything. It seems the auth.login event isn't triggered in this case (?). Have you seen this problem? I don't know if it's a Facebook bug, or something I need to code for in my javascript. – aschune Feb 07 '13 at 19:47
  • Yes, sometimes it happens. You could also class FB.getLoginStatus on click, see https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/ – Igor Artamonov Feb 08 '13 at 01:47