Development how to – Simple integration of a Facebook login with Spring Security Framework (archived)

Kevin Deyne

A 25-year-old Software Engineer with a passion for Web, Java and Writing. Working at RealDolmen, he focuses on customer-centric projects that can actually help people and move organisations forward. Most hours of the day, he's thinking about code, integrating architectures and how to solve the next big problem. He also wrote a Lovecraft-inspired thriller called Whitewood and is working on Envir, a high-end project management tool.

13 COMMENTS
  • Kevin Phan
    Reply

    Thanks for your tutorial. That really helpful for me.

  • Alejandra Oliver
    Reply

    Thanks for the good write-up.

  • nole
    Reply

    do you have the code in github for example?

    1. Kevin Deyne
      Reply

      Thanks for the suggestion – I was considering putting up a code example. I will let you know once I’ve had the time to put it on github.

    2. Kevin Deyne
      Reply

      You can now see a code example (with Spring Boot) at https://github.com/kevindeyne/simple-facebook-integration-spring-sec

  • Gagan Sandhu
    Reply

    I would like to thank you for such an amazing tutorial. I was looking for a thing like this but never find any thing which is this simple and working. Most of the time everyone user server side implementation of Social accounts.

    Thanks you so much for such a great tutorial.

    1. Kevin Deyne
      Reply

      Hi,

      Thanks for the kind words! I’m very pleased you found this helpful. :)

  • Alex
    Reply

    Well, what can stop me to send POST request with to ‘/account/facebook-login’ and be logged in into your application?

    1. Kevin Deyne
      Reply

      The “X-CSRF-Token” part prevents cross site request forgery. See https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html for more info. When using Java based configuration with Spring Security, this is enabled by default on the server-side (regardless of whether you use Spring Social or not, of course). You do have to remember passing the token through the script and incorporating it into the Thymeleaf page.

  • Alex
    Reply

    I can get this token just by entering your page, then apply it in tool like POSTMAN for chrome. Send a POST and I’m logged in. No?

    1. Kevin Deyne
      Reply

      I think this is a good question. The big thing you should bump into when we’re dealing with hosted environments is the so-called Same Origin Policy (http://stackoverflow.com/questions/21473515/why-csrf-token-should-be-in-meta-tag-and-in-cookie). I am not sure how POSTMAN itself really works, considering it’s an extension. I would expect it to fail with actual production sites (as your localhost is different from the hosted environment), but I suppose it likely sees a local development environment as being within the same origin. I’d be interested to hear about this.

      There are alternatives available to storing the token in the meta tag, but generally speaking this (also called the ‘Synchronizer Token Pattern’) is agreed to be a solid working system for general use. The OWASP site explores this in greater detail than I do in my post or this comment: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern

      I believe it is possible to relax this policy (as it does sometimes bring certain programming constraints), but doing so obviously comes with its security risks. Without the policy in effect, it would definitely be possible for an external (not part of the page’s hosted domain) to do exactly that. I don’t believe the CSRF token by itself has information that prevents it from being sent from a different location, it just seems like a token that can be verified server side.

      Side note: I wonder if that would be easy to introduce/not too resource intensive – compare the actual requests origin derived hash value with the passed hash value? I’m not sure if that would decrease its security value, considering you could – to an extend, reverse engineer it when it’s not quite fully random; Or actually increase it, by preventing a mismatch between origin and token.

      1. Alex
        Reply

        As a result: it’s COMPLETELY INSECURE solution in your post. You can’t do a secured login without validation server-to-server oauth token.

        1. Kevin Deyne
          Reply

          Hey Alex,

          Sorry it took me a while to reply – I was out of the country for a while.

          I have updated my code to now use Spring Social entirely, eliminating your valid point on the security with the AuthTokens. Check out my new post at:
          http://www.scorgar.be/blog/development-how-to-simple-integration-of-a-facebook-login-with-spring-security-framework-2/

          Thanks for the valuable feedback!

Leave a Reply