Reputation: 61
Recommendation stack for Restful + Spring Security + Mobile App
I'm creating a mobile app and I would like to provide to the users the option to sign up/in using an email or via their facebook accounts.
I have read so many things in the last two days, but I still don't understand how to do it.
I have seen the example the following link, but it's a little bit confusing for me, and I would like to use Spring (boot) stack, with Java Annotation Configuration. http://porterhead.blogspot.com.br/2013/01/writing-rest-services-in-java-part-4.html
The best example I found for rest authentication is this http://www.codesandnotes.be/2014/10/31/restful-authentication-using-spring-security-on-spring-boot-and-jquery-as-a-web-client/, but it is form based, which does not work for a mobile application.
The flow of the application in my head is:
- Users try to access the app via Facebook (using mobile SDK);
- Facebook returns a token, which is sent to my backend server;
- Spring security checks if the token is valid. If it is valid, get the user's details (email, for example). 3.1. If that email is present in my database, logs the user in. Otherwise, create a new user.
The steps after that are a little bit obscure for me as well. After these checks, what should I return to the client? How do I validate its token for the following requests?
I've read a lot, but still cannot connect the dots. Any help will be really appreciated.
Thanks in advance!
Upvotes: 0
Views: 1127
Answers (1)
Reputation: 4767
Firstly when you are sending facebook-auth token to backend,it will checked by facebook library like spring-social,not by spring security. So just i am giving you a example of spring-social.
Facebook facebook = new FacebookTemplate(fbtoken, yourappname);
org.springframework.social.facebook.api.User facebookUser = facebook.userOperations().getUserProfile(); // throw exception if token is not authenticated
if(facebookUser.getId() != null){
return true;
}else{
throw new AuthenticationException(configProp.getProperty("invalid token"), HttpStatus.FORBIDDEN, HttpStatus.FORBIDDEN.value());
}
After verifying facebook auth token,you have to create a unique token for your app,you can create it by
String token = UUID.randomUUID().toString()
then this token you will save in database and return to client end. Further requests from client,you have send this token from client,and now this token it will be checked by spring security.
if(tokenValid){
//access your app
}else{
return "unauthorized user"
}
On logout you will delete it from database as well as from client side
Upvotes: 2
Related Questions
- Architecture Design - REST API to support Facebook Login done by Mobile app
- What type of security should I use in Spring REST application
- RESTful webservice with auth for mobile application
- Designing backend for Mobile app?
- Best Way To Authenticate Restful API and Mobile App
- Looking for the right way: Spring Social + Spring RESTful API + Spring WebApp + Mobile Clients
- Spring Security for RESTful API
- Securing mobile REST Api with spring Security enough?
- Options for securing REST based service for iOS/Android app
- Recommendations for a Full-stack Framework for REST?