Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove spring-security-openid

Browse Source 
Closes gh-10773
This commit is contained in:
Rob Winch
2022-01-21 16:55:19 -06:00
parent e7ce694b23
commit f94090a59b
62 changed files with 16 additions and 4691 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/modules/ROOT/nav.adoc
-1
View File
@@ -38,7 +38,6 @@
***** xref:servlet/authentication/passwords/ldap.adoc[LDAP]
*** xref:servlet/authentication/session-management.adoc[Session Management]
*** xref:servlet/authentication/rememberme.adoc[Remember Me]
*** xref:servlet/authentication/openid.adoc[OpenID]
*** xref:servlet/authentication/anonymous.adoc[Anonymous]
*** xref:servlet/authentication/preauth.adoc[Pre-Authentication]
*** xref:servlet/authentication/jaas.adoc[JAAS]
docs/modules/ROOT/pages/getting-spring-security.adoc
+4 -4
View File
@@ -71,7 +71,7 @@ You can do so by adding a Maven property:
----
====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
If you use additional features (such as LDAP, OAuth 2, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
[[getting-maven-no-boot]]
=== Maven Without Spring Boot
@@ -117,7 +117,7 @@ A minimal Spring Security Maven set of dependencies typically looks like the fol
----
====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
If you use additional features (such as LDAP, OAuth 2, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x.
Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems.
@@ -238,7 +238,7 @@ ext['spring.version']='{spring-core-version}'
----
====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
If you use additional features (such as LDAP, OAuth 2, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
=== Gradle Without Spring Boot
@@ -276,7 +276,7 @@ dependencies {
----
====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
If you use additional features (such as LDAP, OAuth 2, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x.
Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems.
docs/modules/ROOT/pages/modules.adoc
-42
View File
@@ -139,10 +139,6 @@ None of the classes are intended for direct use in an application.
|
| Required if you are using the LDAP namespace options (optional).
| spring-security-openid
|
| Required if you are using OpenID authentication (optional).
| aspectjweaver
| 1.6.10
| Required if using the protect-pointcut namespace syntax (optional).
@@ -275,44 +271,6 @@ This is the basis of the Spring Security integration.
| Required if you are using the Ehcache-based ticket cache (optional).
|===
[[spring-security-openid]]
== OpenID -- `spring-security-openid.jar`
[NOTE]
====
The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
====
This module contains OpenID web authentication support.
It is used to authenticate users against an external OpenID server.
The top-level package is `org.springframework.security.openid`.
It requires OpenID4Java.
.OpenID Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
|
| openid4java-nodeps
| 0.9.6
| Spring Security's OpenID integration uses OpenID4Java.
| httpclient
| 4.1.1
| openid4java-nodeps depends on HttpClient 4.
| guice
| 2.0
| openid4java-nodeps depends on Guice 2.
|===
[[spring-security-test]]
== Test -- `spring-security-test.jar`
docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
+1 -178
View File
@@ -159,7 +159,6 @@ The default value is true.
* <<nsa-oauth2-client,oauth2-client>>
* <<nsa-oauth2-login,oauth2-login>>
* <<nsa-oauth2-resource-server,oauth2-resource-server>>
* <<nsa-openid-login,openid-login>>
* <<nsa-password-management,password-management>>
* <<nsa-port-mappings,port-mappings>>
* <<nsa-remember-me,remember-me>>
@@ -838,7 +837,7 @@ Used to add an `UsernamePasswordAuthenticationFilter` to the filter stack and an
This will always take precedence over other namespace-created entry points.
If no attributes are supplied, a login page will be generated automatically at the URL "/login" footnote:[
This feature is really just provided for convenience and is not intended for production (where a view technology will have been chosen and can be used to render a customized login page).
The class `DefaultLoginPageGeneratingFilter` is responsible for rendering the login page and will provide login forms for both normal form login and/or OpenID if required.
The class `DefaultLoginPageGeneratingFilter` is responsible for rendering the login page and will provide login forms for both normal form login and/or OIDC if required.
] The behaviour can be customized using the <<nsa-form-login-attributes, `<form-login>` Attributes>>.
@@ -1476,182 +1475,6 @@ Defaults to "/logout".
May be used to supply an instance of `LogoutSuccessHandler` which will be invoked to control the navigation after logging out.
[[nsa-openid-login]]
== <openid-login>
Similar to `<form-login>` and has the same attributes.
The default value for `login-processing-url` is "/login/openid".
An `OpenIDAuthenticationFilter` and `OpenIDAuthenticationProvider` will be registered.
The latter requires a reference to a `UserDetailsService`.
Again, this can be specified by `id`, using the `user-service-ref` attribute, or will be located automatically in the application context.
[[nsa-openid-login-parents]]
=== Parent Elements of <openid-login>
* <<nsa-http,http>>
[[nsa-openid-login-attributes]]
=== <openid-login> Attributes
[[nsa-openid-login-always-use-default-target]]
* **always-use-default-target**
Whether the user should always be redirected to the default-target-url after login.
[[nsa-openid-login-authentication-details-source-ref]]
* **authentication-details-source-ref**
Reference to an AuthenticationDetailsSource which will be used by the authentication filter
[[nsa-openid-login-authentication-failure-handler-ref]]
* **authentication-failure-handler-ref**
Reference to an AuthenticationFailureHandler bean which should be used to handle a failed authentication request.
Should not be used in combination with authentication-failure-url as the implementation should always deal with navigation to the subsequent destination
[[nsa-openid-login-authentication-failure-url]]
* **authentication-failure-url**
The URL for the login failure page.
If no login failure URL is specified, Spring Security will automatically create a failure login URL at /login?login_error and a corresponding filter to render that login failure URL when requested.
[[nsa-openid-login-authentication-success-forward-url]]
* **authentication-success-forward-url**
Maps a `ForwardAuthenticationSuccessHandler` to `authenticationSuccessHandler` property of `UsernamePasswordAuthenticationFilter`.
[[nsa-openid-login-authentication-failure-forward-url]]
* **authentication-failure-forward-url**
Maps a `ForwardAuthenticationFailureHandler` to `authenticationFailureHandler` property of `UsernamePasswordAuthenticationFilter`.
[[nsa-openid-login-authentication-success-handler-ref]]
* **authentication-success-handler-ref**
Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful authentication request.
Should not be used in combination with <<nsa-openid-login-default-target-url,default-target-url>> (or <<nsa-openid-login-always-use-default-target, always-use-default-target>>) as the implementation should always deal with navigation to the subsequent destination
[[nsa-openid-login-default-target-url]]
* **default-target-url**
The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed.
This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication.
If unspecified, defaults to the root of the application.
[[nsa-openid-login-login-page]]
* **login-page**
The URL for the login page.
If no login URL is specified, Spring Security will automatically create a login URL at /login and a corresponding filter to render that login URL when requested.
[[nsa-openid-login-login-processing-url]]
* **login-processing-url**
The URL that the login form is posted to.
If unspecified, it defaults to /login.
[[nsa-openid-login-password-parameter]]
* **password-parameter**
The name of the request parameter which contains the password.
Defaults to "password".
[[nsa-openid-login-user-service-ref]]
* **user-service-ref**
A reference to a user-service (or UserDetailsService bean) Id
[[nsa-openid-login-username-parameter]]
* **username-parameter**
The name of the request parameter which contains the username.
Defaults to "username".
[[nsa-openid-login-children]]
=== Child Elements of <openid-login>
* <<nsa-attribute-exchange,attribute-exchange>>
[[nsa-attribute-exchange]]
== <attribute-exchange>
The `attribute-exchange` element defines the list of attributes which should be requested from the identity provider.
An example can be found in the xref:servlet/authentication/openid.adoc#servlet-openid[OpenID Support] section of the namespace configuration chapter.
More than one can be used, in which case each must have an `identifier-match` attribute, containing a regular expression which is matched against the supplied OpenID identifier.
This allows different attribute lists to be fetched from different providers (Google, Yahoo etc).
[[nsa-attribute-exchange-parents]]
=== Parent Elements of <attribute-exchange>
* <<nsa-openid-login,openid-login>>
[[nsa-attribute-exchange-attributes]]
=== <attribute-exchange> Attributes
[[nsa-attribute-exchange-identifier-match]]
* **identifier-match**
A regular expression which will be compared against the claimed identity, when deciding which attribute-exchange configuration to use during authentication.
[[nsa-attribute-exchange-children]]
=== Child Elements of <attribute-exchange>
* <<nsa-openid-attribute,openid-attribute>>
[[nsa-openid-attribute]]
== <openid-attribute>
Attributes used when making an OpenID AX https://openid.net/specs/openid-attribute-exchange-1_0.html#fetch_request[ Fetch Request]
[[nsa-openid-attribute-parents]]
=== Parent Elements of <openid-attribute>
* <<nsa-attribute-exchange,attribute-exchange>>
[[nsa-openid-attribute-attributes]]
=== <openid-attribute> Attributes
[[nsa-openid-attribute-count]]
* **count**
Specifies the number of attributes that you wish to get back.
For example, return 3 emails.
The default value is 1.
[[nsa-openid-attribute-name]]
* **name**
Specifies the name of the attribute that you wish to get back.
For example, email.
[[nsa-openid-attribute-required]]
* **required**
Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute.
Default is false.
[[nsa-openid-attribute-type]]
* **type**
Specifies the attribute type.
For example, https://axschema.org/contact/email.
See your OP's documentation for valid attribute types.
[[nsa-password-management]]
== <password-management>
This element configures password management.
docs/modules/ROOT/pages/servlet/architecture.adoc
-1
View File
@@ -182,7 +182,6 @@ The following is a comprehensive list of Spring Security Filter ordering:
* `OAuth2LoginAuthenticationFilter`
* `Saml2WebSsoAuthenticationFilter`
* xref:servlet/authentication/passwords/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`]
* `OpenIDAuthenticationFilter`
* `DefaultLoginPageGeneratingFilter`
* `DefaultLogoutPageGeneratingFilter`
* `ConcurrentSessionFilter`
docs/modules/ROOT/pages/servlet/authentication/index.adoc
-1
View File
@@ -18,6 +18,5 @@ These sections focus on specific ways you may want to authenticate and point bac
* xref:servlet/saml2/index.adoc#servlet-saml2[SAML 2.0 Login] - SAML 2.0 Log In
* xref:servlet/authentication/rememberme.adoc#servlet-rememberme[Remember Me] - how to remember a user past session expiration
* xref:servlet/authentication/jaas.adoc#servlet-jaas[JAAS Authentication] - authenticate with JAAS
* xref:servlet/authentication/openid.adoc#servlet-openid[OpenID] - OpenID Authentication (not to be confused with OpenID Connect)
* xref:servlet/authentication/preauth.adoc#servlet-preauth[Pre-Authentication Scenarios] - authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits.
* xref:servlet/authentication/x509.adoc#servlet-x509[X509 Authentication] - X509 Authentication
docs/modules/ROOT/pages/servlet/authentication/openid.adoc
-70
View File
@@ -1,70 +0,0 @@
[[servlet-openid]]
= OpenID Support
[NOTE]
====
The OpenID 1.0 and 2.0 protocols have been deprecated. You should migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
====
The namespace supports https://openid.net/[OpenID] login either instead of or in addition to normal form-based login, with a simple change:
====
[source,xml]
----
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<openid-login />
</http>
----
====
You should then register yourself with an OpenID provider (such as myopenid.com), and add the user information to your in-memory `<user-service>`:
====
[source,xml]
----
<user name="https://jimi.hendrix.myopenid.com/" authorities="ROLE_USER" />
----
====
You should be able to login by using the `myopenid.com` site to authenticate.
You can also select a specific `UserDetailsService` bean for use with OpenID by setting the `user-service-ref` attribute on the `openid-login` element.
Note that we have omitted the password attribute from the above user configuration, since this set of user data is being used only to load the authorities for the user.
A random password is generated internally, preventing you from accidentally using this user data as an authentication source elsewhere in your configuration.
== Attribute Exchange
Spring Security includes support for OpenID https://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange].
As an example, the following configuration tries to retrieve the email and full name from the OpenID provider for use by the application:
====
[source,xml]
----
<openid-login>
<attribute-exchange>
<openid-attribute name="email" type="https://axschema.org/contact/email" required="true"/>
<openid-attribute name="name" type="https://axschema.org/namePerson"/>
</attribute-exchange>
</openid-login>
----
====
The "`type`" of each OpenID attribute is a URI, determined by a particular schema -- in this case, https://axschema.org/[https://axschema.org/].
If an attribute must be retrieved for successful authentication, you can set the `required` attribute.
The exact schema and attributes supported depend on your OpenID provider.
The attribute values are returned as part of the authentication process and can be accessed afterwards by using the following code:
====
[source,java]
----
OpenIDAuthenticationToken token =
(OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
List<OpenIDAttribute> attributes = token.getAttributes();
----
====
We can obtain the `OpenIDAuthenticationToken` from the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
The `OpenIDAttribute` contains the attribute type and the retrieved value (or values in the case of multi-valued attributes).
You can supply multiple `attribute-exchange` elements by using an `identifier-matcher` attribute on each element.
This contains a regular expression that is matched against the OpenID identifier supplied by the user.
See the OpenID sample application in the codebase for an example configuration, providing different attribute lists for the Google, Yahoo and MyOpenID providers.