I am using spring-security-facebook:0.10.4 to integrate Facebook authentication for SSO in our Grails application. One of our requirements is to allow a user to turn SSO on or off (via some control in our app). If it's turned on, then we want to use the spring-security-facebook filter for authentication. If SSO is turned off on our app, we want to use the default spring security filter for authentication (regardless of whether a Facebook cookie/auth token exists or not).
I'm not sure how to configure the spring-security-facebook plugin to allow for this use case. Right now, I have the Transparent cookie based authorization (FacebookAuthCookieTransparentFilter) working, and it works great. The problem is that it will try to authenticate through Facebook on every page. I can't see a way that I can control this so I can check to see if a user has turned on SSO in our app, and only use the Facebook auth filter if SSO is turned on.
I'm thinking I have to use Manual cookie based authorization (FacebookAuthCookieDirectFilter) instead, but I don’t know how to configure it. The documentation (located here... http://splix.github.com/grails-spring-security-facebook/guide/3%20Usage.html#3.4%20Client%20Side%20Authorization) says... "Same as FacebookAuthCookieTransparentFilter, it parse Facebook cookie, but only for specified url. Like username/password filter from spring-security-core or similar. After successful authorization it can redirect user to specified url."
Is Manual cookie based authorization the way to go for my requirement? How can I configure it to work only for users who have turned on SSO in our app? How do I configure it to “…redirect user to specified url.”?
FacebookAuthCookieDirectFilter is applying cookie based authorization to specified URL only. This URL is configured at grails.plugins.springsecurity.facebook.filter.processUrl
, by default it's /j_spring_security_facebook_check
First of all you should Configure the plugin to use facebookAuthCookieDirectFilter
, by adding to Config.groovy
:
grails.plugins.springsecurity.facebook.filter.type='cookieDirect'
Then use Facebook Javascript SDK, to login user on client side. After authorization redirect user to /j_spring_security_facebook_check
, like:
<facebookAuth:init>
FB.Event.subscribe('auth.login', function() {
window.location.href = '/j_spring_security_facebook_check'
});
</facebookAuth:init>
<g:javascript>
$('#fbloginbutton').click(function() {
FB.login();
});
</g:javascript>