The namespace supports logging in using OpenID instead of or in addition to regular form logging, for which You only need to make a small change:
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<openid-login />
</http>
You should then register through an OpenID provider (for example, myopenid.com) and add the user information to the
in-memory <user-service>
:
<user name="https://jimi.hendrix.myopenid.com/" authorities="ROLE_USER" />
You should be able to log in using myopenid.com
for authentication. You can also select a specific
UserDetailsService
bean to use OpenID by setting the user-service-ref
attribute on the
openid-login
element. Note that we have omitted the password attribute from the user configuration
above because this set of user data is only used to load the permissions for the user. The password will be randomly
generated internally, preventing this user data from being unintentionally used as a source of authentication
elsewhere in the configuration.
Attribute exchange
Support for attribute exchange in OpenID. As an example, the following configuration will try to obtain the email address and full name from the OpenID provider for use by the application:
<openid-login>
<attribute-exchange>
<openid-attribute name="email" type="https://axschema.org/contact/email" required="true"/>
<openid-attribute name="name" type="https://axschema.org/namePerson"/>
</attribute-exchange>
</openid-login>
The "type" of each OpenID attribute is a URI defined by a particular schema, in this case. If the attribute must be obtained for
successful authentication, you can set the required
attribute. The exact schema and supported
attributes depend on your OpenID provider. The attribute values are returned as part of the authentication process
and can then be accessed using the following code:
OpenIDAuthenticationToken token =
(OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
List<OpenIDAttribute> attributes = token.getAttributes();
We can get the OpenIDAuthenticationToken
from the SecurityContextHolder. OpenIDAttribute
contains the attribute type and the value to be retrieved (or values in the case of multivalued attributes). You can
pass multiple attribute-exchange
elements by using the identifier-matcher
attribute for
each one. Contains a regular expression that will be matched against the OpenID supplied by the user. For an example
configuration, see the codebase for the OpenID sample application, which provides different attribute lists for the
Google, Yahoo, and MyOpenID providers.
GO TO FULL VERSION