splix
Using the JSON filter requires two hits to login
When using the JSON filter I have to send two requests to the filter endpoint with the same token to be fully logged in. If I only send one request I receive the authenticated json object however then accessing any other secured endpoints in my app will result in a redirect to the spring security login page.
How do you use JSON authentication? It's supposed to be used from an external client, like Android app, so it just return app user details for provided token. If you need an ajax-style authentication, it's better to choose Transparent filter + Facebook JS SDK.
I'm using it from an iPhone app, but regardless two requests must be made.
On Jul 19, 2013, at 11:51, Igor Artamonov [email protected] wrote:
How do you use JSON authentication? It's supposed to be used from an external client, like Android app, so it just return app user details for provided token. If you need an ajax-style authentication, it's better to choose Transparent filter + Facebook JS SDK.
— Reply to this email directly or view it on GitHub.
A good auth response json object with the fb uid etc.
On Jul 19, 2013, at 12:07, Igor Artamonov [email protected] wrote:
What you get as a response for a first request?
— Reply to this email directly or view it on GitHub.
Have you been able to reproduce this? I've been digging into the spring security core code to see if there is a simple call thats missing, but I haven't made great progress.
Yes, it's exactly what you should get, JSON object with user details. Nothing else. Don't understand what you mean with second request. Seems that you're trying to make another JSON request to protected area, right? Shouldn't work, of course. For RESTful API authentication you have to use something else, like OAuth2 authentication (it's standard de facto for such things). And Spring Security Facebook plugin cannot help you with this, it just introduces a RESTful endpoint to get user details for FB User. Authentication for other RESTful calls should use something other.
I'm working with the following assumption: grails-spring-security-facebook provides a way to authenticate users against facebook and it will create a new user in my grails application (if they don't exist yet) and then log them into my application. That is achieved by my client hitting http://localhost:8080/my-app/j_spring_security_facebook_json, which returns a json object telling me if the authentication succeeded or if it failed (along with fb UID, user roles, and if the user is enabled).
Now my client should be able to access a secured endpoint on my grails app such as http://localhost:8080/my-app/secured-app-endpoint. When I make that request, my grails app redirects the request to the standard spring-security-core grails login page. Which should not be happening since this plugin is injected in the grails / spring security filter stack.
If I make a second authentication request immediately following the first request, which returns the same exact json object saying my user is authenticated, then I can successfully request an endpoint in my grails app.
It doesn't work that way. JSON filter just returns details for provided user. That's all. All other requests, for other endpoints, should be authenticated by different security filter. And it's unrelated to Facebook authentication.
For RESTful application, it's OAuth2 usually. So, you have to configure OAuth2 authentication for your app, put an OAuth2 token into this JSON object (extensible by FacebookAuthService), and use this token for authentication of other REST endpoints.
PS actually you could configure RememberMe filter, and reuse rememberMe cookies in your client app, but I don't think this is a good idea, so I suggest you to take a look at OAuth2