Search code examples
facebookgrailsspring-securitygrails-plugin

Grails spring-security-facebook plugin - Customizing client-side authentication

I am using spring-security-facebook:0.10.4 to integrate Facebook authentication for SSO in our Grails application. One of our requirements is to allow a user to turn SSO on or off (via some control in our app). If it's turned on, then we want to use the spring-security-facebook filter for authentication. If SSO is turned off on our app, we want to use the default spring security filter for authentication (regardless of whether a Facebook cookie/auth token exists or not).

I'm not sure how to configure the spring-security-facebook plugin to allow for this use case. Right now, I have the Transparent cookie based authorization (FacebookAuthCookieTransparentFilter) working, and it works great. The problem is that it will try to authenticate through Facebook on every page. I can't see a way that I can control this so I can check to see if a user has turned on SSO in our app, and only use the Facebook auth filter if SSO is turned on.

I'm thinking I have to use Manual cookie based authorization (FacebookAuthCookieDirectFilter) instead, but I don’t know how to configure it. The documentation (located here... http://splix.github.com/grails-spring-security-facebook/guide/3%20Usage.html#3.4%20Client%20Side%20Authorization) says... "Same as FacebookAuthCookieTransparentFilter, it parse Facebook cookie, but only for specified url. Like username/password filter from spring-security-core or similar. After successful authorization it can redirect user to specified url."

Is Manual cookie based authorization the way to go for my requirement? How can I configure it to work only for users who have turned on SSO in our app? How do I configure it to “…redirect user to specified url.”?

Solution

  • FacebookAuthCookieDirectFilter is applying cookie based authorization to specified URL only. This URL is configured at grails.plugins.springsecurity.facebook.filter.processUrl, by default it's /j_spring_security_facebook_check

    First of all you should Configure the plugin to use facebookAuthCookieDirectFilter, by adding to Config.groovy:

    grails.plugins.springsecurity.facebook.filter.type='cookieDirect'

    Then use Facebook Javascript SDK, to login user on client side. After authorization redirect user to /j_spring_security_facebook_check, like:

    <facebookAuth:init>
   FB.Event.subscribe('auth.login', function() {
      window.location.href = '/j_spring_security_facebook_check'
   });
</facebookAuth:init>

<g:javascript> 
   $('#fbloginbutton').click(function() {
       FB.login();
   });
</g:javascript>