Harmonic Development

Spring Security and Spring Social Demo

Tue, 27 Mar 2012 16:58:16 -0700

I have received several requests for source code to go along with my previous posts about integrating Spring Social into a Spring MVC and Spring Security Web app. I’ve now posted a demo Web application to GitHub, which should be relatively easy to download and run.

http://github.com/sdouglass/spring-security-social

Hopefully this will be useful for folks. It has already been useful for me. While writing this I discovered some issues with how I had integrated Spring Social into my own applications previously. I’m either going to edit my previous posts, or perhaps make new followup posts, to cover what I am doing differently now.

To run the demo app, you will need to create your own applications on Twitter and Facebook:

https://dev.twitter.com/apps/new
https://developers.facebook.com/apps

You will need to create a file src/main/resources/spring-security-social.properties and set the following properties:

site.url - URL used in the OAuth process
social.crypto.password - password for encrypting/decrypting store OAuth secrets
twitter.app.consumerKey - the consumer key for your Twitter application
twitter.app.consumerSecret - the consumer secret for your Twitter application
facebook.app.clientId - the client id for your Facebook application
facebook.app.clientSecret - the client secret for your Facebook application

With all that in place you should be able to run the app with “mvn jetty:run”.

This app supports the following features:

signing up by creating an account with a username and password
signing in with a username and password
new users signing in using Twitter or Facebook accounts
existing users signing in using Twitter or Facebook accounts
existing users connecting their Twitter and Facebook accounts to their local account
existing users disconnecting their Twitter and Facebook accounts from their local accounts

This app is set up to limit users to a one-to-one relationship between local accounts and social accounts from any provider. For example, you cannot link two Twitter accounts to your local account, and you cannot link your Twitter account to two local accounts. This is a subset of the functionality provided by Spring Social, which allows for many-to-many relationships between local and social accounts, but I think it addresses the most common use case.

I plan to go over the demo application in more detail in a future post when I have more time. In the meantime, I will try to respond to questions or comments.

First of all thanks for your useful guide about integration of spring social and spring security. I'm facing some problems configuring ConnectionRepository and UserConnectionRepository in SocialConfig. I posted my problem on Stack Overflow (/questions/9462739/how-to-configure-spring-social). Please can you help me in some way?

Thu, 22 Mar 2012 23:06:14 -0700

It looks like your question on Stack Overflow isn’t available anymore? If you have a new like I’d gladly try to answer your question there. Otherwise I am going to try to make available soon the code for a complete web app that uses Spring Social and Spring Security together. I will post about it when I’ve made the code available. Thanks for reading my posts!

Adding Spring Social to a Spring MVC and Spring Security Web App, Part 3

Fri, 02 Dec 2011 20:21:00 -0800

So far we have implemented and configured the classes for persisting social connection information for users, and tied Spring Social’s Web support in to our sign in and sign up processes in Spring MVC and Spring Security. We have a few last changes to make to our Spring MVC, Java web app, and Spring Security configuration. Then we’ll actually make all this awesome new functionality available in the views of our application. Then we’ll be done! Suddenly way more people will be using your Web application because they can sign in quickly and easily using their Facebook and Twitter accounts. And your app can get social by acting on behalf of your users on their social networks. And best of all it will be trivial for you to add support for other social network providers (e.g. LinkedIn, GitHub, Foursquare, etc.).

Spring MVC Configuration Changes

You will need to modify your Spring MVC configuration to add the two controllers provided by Spring Social Web, ProviderSignInController and ConnectController. We’ve already discussed ProviderSignInController. This controller handles the requests when users sign in to your app using Facebook/Twitter/etc. The ConnectController allows current users to associate their Facebook/Twitter accounts with their accounts in your application, so that they can then also sign in to your application using Facebook/Twitter.

Here is some example XML for configuring these controllers. You could also configure them in a @Configuration class.

<bean class=”org.springframework.social.connect.web.ConnectController”>
    <!— relies on by-type autowiring for the constructor-args —>
    <property name=”applicationUrl” value=”${site.url}” />
</bean>

<bean class=”org.springframework.social.connect.web.ProviderSignInController”>
    <!— relies on by-type autowiring for the constructor-args —>
    <property name=”applicationUrl” value=”${site.url}” />
    <property name=”signUpUrl” value=”/register” />
    <property name=”signInUrl” value=”/login” />
</bean>

I recommend that you make the “applicationUrl” value a configurable property, so that you can use “http://localhost:8080/context” in development, and your application’s real URL in production. Note that Facebook will not redirect users to “localhost”, so as far as I could figure it’s not possible to test Facebook integration on localhost. (If it is possible, feel free to leave details in a comment.) You will also want to provide your application’s sign up and sign in URLs (mine are “/register” and “/login”, as you can see above).

You must also declare your SignInAdapter implementation bean. This should be straightforward as you should be able to have all their dependencies provided by autowiring.

web.xml Changes

You may need to change your application’s web.xml file. If you configure your Spring context using XML and you list your configuration XML files in your web.xml file using the “contextConfigLocation” context-param, you will need to add your social configuration XML file to the list. If you plan on allowing your users to remove associations between their Facebook/Twitter accounts and their accounts in their applications, you will also need to add a Spring filter, HiddenHttpMethodFilter. This filter enables support for HTTP methods beyond just GET and POST from Web browsers, which do not ordinarily support other HTTP methods. Other methods are simulated by providing a hidden input with the other method (e.g. DELETE) as the value. HiddenHttpMethodFilter will modify incoming requests so that your controller methods are invoked as if the browser used the correct HTTP method. Here is how you would declare that filter:

<filter>
    <filter-name>hiddenHttpMethodFilter</filter-name>
    <filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>hiddenHttpMethodFilter</filter-name>
    <url-pattern>/connect/*</url-pattern>
</filter-mapping>

You only need to apply it to the “/connect/*” url-pattern as it only applies to the ConnectController, which handles requests to that url-pattern.

Spring Security Configuration Changes

If you are planning to allow your existing users to add and remove associations between their Facebook/Twitter accounts and their accounts in your application, you will want to make sure to secure requests to the “/connect/*” path so that they can only be made by logged in users. For example:

<intercept-url pattern=”/connect/**” access=”IS_AUTHENTICATED_REMEMBERED”/>

“Sign In With …” View Changes

For your users to sign in with Facebook/Twitter, you will need to provide forms that POST to URLs of the format “/signin/(provider name)”, e.g. “/signin/facebook” and “/signin/twitter”, for Facebook and Twitter respectively.

For Facebook signin, you will also need to add a hidden input named “scope” in which you provide a comma separated list of the Facebook permissions your application will need. You will almost certainly want to use the “offline_access” permission, which instructs Facebook to give your application an access token that will not expire. Other useful permissions include “publish_stream” (for posting to a user’s wall) and “manage_pages” (for managing the pages to which a user has admin access).

Here’s an example Facebook sign in form:

<form id=”fb_signin” action=”<c:url value=”/signin/facebook”/>” method=”POST”><input
                  type=”hidden” name=”scope” value=”publish_stream,offline_access”><a
                  href=”javascript:document.forms.fb_signin.submit()” title=”Log In With Facebook”><img
                  src=”<c:url value=”/img/facebook.gif”/>” width=”14” height=”14”/></a></form>

Showing Users Their Social Account Connection Status

You may want to show your users when they have connected one of their social accounts to their account in your application. To do this for a user, you will want to use your UsersConnectionRepository implementation to create a ConnectionRepository for that user. Then you can retrieve a user’s connections and populate model data for display in a view. Here is some example code for adding “twitterConnected” and “facebookConnected” booleans to the model that can be used to show a user whether or not they have connected their Twitter and Facebook accounts.

    ConnectionRepository connectionRepository = socialUserService.createConnectionRepository(user.getUsername());
    List connections = connectionRepository.findConnections(“twitter”);
    if (!connections.isEmpty()) {
      model.addAttribute(“twitterConnected”, true);
    }
    connections = connectionRepository.findConnections(“facebook”);
    if (!connections.isEmpty()) {
      model.addAttribute(“facebookConnected”, true);
    }

Enabling Existing Users to Connect/Disconnect Social Accounts

If you’re showing your users their social account connection status, you may also allow them to connect and disconnect their social accounts too. That way existing users of your application can then sign in using their social accounts, and your application can act on their behalf on their social networks.

This is done by using a form that makes a POST to “/connect/(provider id)”, e.g. “/connect/facebook” and “/connect/twitter”. In the case of connecting an account, you would also potentially need to include the hidden “scope” input mentioned previously, where you would list permissions that your application wants (e.g. “offline_access” for Facebook). In the case of disconnecting an account, you would need to add the hidden “_method” input with a value of “delete”. This will be picked up by the HiddenHttpMethodFilter mentioned earlier so that the POST request actually gets handled by a controller method expecting a DELETE request. Here are some example forms:

Connect:

<form id=”fb_signin” action=”<c:url value=”/connect/facebook”/>” method=”POST”>
<input type=”hidden” name=”scope” value=”publish_stream,offline_access”>
<input type=”submit” name=”submitBtn” value=”Connect”>
</form>

Disconnect:

<form id=”fb_signin” action=”<c:url value=”/connect/facebook”/>” method=”POST”>
<input type=”hidden” name=”_method” value=”delete”>
<input type=”submit” name=”submitBtn” value=”Disconnect”>
</form>

When users submit these forms, the ConnectController will send them to views named “connect/(provider id)Connected” when connecting an account and “connect/(provider id)Connect” when disconnecting an account. You will need to create these two views for every provider your app supports.

OMG, You’re Done!!!

Whew! It took a long way to get here, but you are finally done adding Spring Social to your Spring MVC and Spring Security Web app. Awesome!

The first time you go through this process, it can be a bit overwhelming, but here are two great things about using Spring Social: 1) Once you’ve done this process in one app, you can just repeat it to add social features to other apps, and it gets much easier every time you do it. 2) You can add support for new social providers very quickly and easily, if there are Spring Social implementations for that provider. The list of supported providers is already pretty long and it’s growing all the time thanks to an active community. Another great aspect of Spring Social is how makes it relatively straightforward to write code supporting a new provider. I myself wrote a Spring Social Tumblr implementation without too much difficulty (other than dealing with some non-standard aspects of Tumblr’s API). Maybe I will describe that process in a future post.

Thanks for reading along. Good luck and good coding!

Adding Spring Social to a Spring MVC and Spring Security Web App, Part 2

Thu, 01 Dec 2011 23:08:00 -0800

In Part I of this series, we covered adding the jars/dependencies needed to start using Spring Social in a Spring MVC and Spring Security Web application. We also covered the classes involved in persisting users’ social connection information.

Now we’ll configure our Spring Social related beans. Then we’ll start modifying the MVC configuration and classes to start making Spring Social functionality available to users.

Configuring Spring Social Beans

There are several beans you will need to configure, either using Spring’s traditional XML configuration, or its more recently developed Java configuration. You can find some good example Java and XML configuration in the reference documentation. I’m just going to go over the beans you’ll need to configure:

ConnectionFactoryLocator - this is the central bean of Spring Social; you must register all provider specific connection factories with this bean
FacebookConnectionFactory, TwitterConnectionFactory, etc. - provider specific ConnectionFactory implementations; these take the OAuth consumer key and secret for your Facebook, Twitter, etc. applications; you should provide those key/secret values from a properties file using a PropertyPlaceholderConfigurer
UsersConnectionRepository - either the included JdbcUsersConnectionRepository or your own implementation
ConnectionRepository - the request scoped bean for logged in users created by UsersConnectionRepository.createConnectionRepository() (see the reference documentation for how to use Spring Expression Language to access the currently logged in user’s username)

You’ll want to configure these beans in a new XML file or @Configuration class, and add that file or class to your application context. (For example, you could add it to a “myapp-social.xml” file and add that file to the list of config files in your “contextConfigLocation” context-param value in your web.xml.)

Class to Support Signing In With Facebook/Twitter

Now we start on the meat of the integration between Spring Social and your Spring MVC and Spring Security app.

First we will work on making it possible for users to sign in using Facebook/Twitter/etc. Spring Social Web provides a controller, ProviderSignInController, and an interface, SignInAdapter, that allow you to tie the controller in to your application’s sign in process. The SignInAdapter implementation is what will talk to Spring Security to sign a user in to your application (complete with optional “remember-me” support).

When a user tries to sign in using Facebook/Twitter/etc., ProviderSignInController will check if there is an existing local user associated with the retrieved provider id and provider user id. If an associated local user is found, the controller will call the SignInAdapter implementation with the local user id, the Connection<?> instance, and a NativeWebRequest instance.

Here is my example SignInAdapter. Yours may be slightly different.

public class SignInAdapterImpl implements SignInAdapter {
private UserService userService; // injected
private TokenBasedRememberMeServices tokenBasedRememberMeServices; // injected

public String signIn(String userId, Connection<?> connection, NativeWebRequest request) {
    User user = userService.findByLogin(userId);
    Authentication authentication = SecurityUtil.signInUser(user);
    // set remember-me cookie
    tokenBasedRememberMeServices.onLoginSuccess(
        (HttpServletRequest) request.getNativeRequest(),
        (HttpServletResponse) request.getNativeResponse(),
        authentication);
    return null;
}
…

There are three basic steps being taken in this code:

look up your local user by the given local user id
log the user in to the Spring Security context
set a Spring Security remember-me cookie (this part is optional)

Here is the code from my SecurityUtil.signInUser() method. The basic idea is to create an Authentication instance and set it in the SecurityContext.

public static Authentication signInUser(User user) {
    List<GrantedAuthority> authorities = UserDetailsServiceImpl.createAuthorities(user);
    SpringSecurityUser springSecurityUser = new SpringSecurityUser(user, authorities);
    Authentication authentication = new UsernamePasswordAuthenticationToken(springSecurityUser, user.getPassword(), authorities);
    SecurityContextHolder.getContext().setAuthentication(authentication);
    return authentication;
}

If a local user associated with the provider id and provider user id cannot be found, users will be redirected to a configurable sign up URL. You can also specify a different URL using the return value of SignInAdapter.signIn() (I’m returning null, indicating that the controller should use its signInUrl property.)

Automatic Sign Up / Registration

If you would prefer new users who try to sign in with Facebook/Twitter to be registered automatically, rather than sent to a sign up URL, you will need to make sure that the ProviderSignInController always finds a local user account associated with the provider id and provider user id from a sign in request.

ProviderSignInController calls UserConnectionRepository.findUserIdsWithConnection() and passes in the Connection when checking for associated local users. Inside this method you will need to create a local user account if none is found for the connection.

If you are using the JdbcUsersConnectionRepository class provided by Spring Social, you need to implement the ConnectionSignUp interface. This interface is used in JdbcUsersConnectionRepository.findUserIdsWithConnection() when no user ids are found for a given Connection.

If you have your own UsersConnectionRepository implementation, you do not necessarily need to implement ConnectionSignUp. You just need to modify the code in your “findUserIdsWithConnection()” implementation. You could use ConnectionSignUp the same way that the JdbcUsersConnectionRepository does if you want to, though.

Either way, you will need to write some code that translates the Connection, and probably also the user’s profile info from the provider, into a local user object and persist the new local user. In the case of implementing ConnectionSignUp you would then return the local unique username of the new user.

The user profile can be retrieved from the provider by calling “fetchUserProfile()” on the Connection. Be aware that different providers return different profile data. Twitter, for example, does not return an email address. You may want to perform whatever validation you normally perform during a form-based sign-up to make sure that all the data required by your app are present. If you are implementing ConnectionSignUp and you cannot automatically register the user for whatever reason, you should return null, indicating that no new user was created.

If you do implement ConnectionSignUp you will likely want to declare that bean in your Spring Social Java or XML configuration.

Sign Up Controller Modification

If you need to handle the case when a user tries to sign in via Facebook/Twitter and the sign in fails (because no local user is found, and you either have not enabled automatic registration, or automatic registration failed), you will need to modify your sign up controller. You will need to add code like this to your GET request handler method:

// check for failed sign in/up from facebook/twitter
Connection<?> connection = ProviderSignInUtils.getConnection(request);
if (connection != null) {
// user tried signing in/up with but they could not be signed in or signed up automatically

// present the user with a meaningful error
// errors.reject(“failedSocialSignIn”, “error message goes here”);

UserProfile userProfile = connection.fetchUserProfile();
// copy connection and profile data to your sign up form bean
// validate the data and put errors in the model to display to the user
}

You will probably need to add WebRequest and BindingResult arguments to your GET request method handler.

You will also need to modify your POST request method handler, to complete the social sign in/up process:

// check for failed sign in/up from facebook/twitter
Connection<?> connection = ProviderSignInUtils.getConnection(request);
if (connection != null) {
// finish social signup/login if there is one
ProviderSignInUtils.handlePostSignUp(user.getUsername(), request);
}
// you can then either sign the user in immediately (e.g. using your SignInAdapter implementation)
// or send them to the success view of the registration process per normal

You will probably need to add a NativeWebRequest argument to your POST request method handler.

Next Time: Changing Web and Security Config, and the View

Whew! That was intense. The good news is you are almost done. Next time we will cover changing your Spring MVC config, your web.xml, and your Spring Security config. Then lastly we will cover changes to your views. And then you’ll be done. Hooray! Hang in there.

On to Part 3!

Adding Spring Social to a Spring MVC and Spring Security Web App, Part 1

Thu, 01 Dec 2011 17:08:00 -0800

This series of posts will explain step by step how to add Spring Social to an existing Web application that uses Spring MVC and Spring Security. You will add support for new users to sign in to your application using their Facebook/Twitter accounts. You will add support for current users to associate their Facebook/Twitter accounts with their accounts in your application, so that they too can log in to your application using their Facebook/Twitter accounts. Your application can then also act on a user’s behalf on Facebook/Twitter.

Much of this information is drawn from the Spring Social Core reference documentation. I found myself jumping back and forth between my code and that documentation and feeling like, while the documentation did present most of the necessary information, it did not necessarily present that information in the order in which it became relevant to me during the process of integrating Spring Social into an app. So, I thought I would try to publish a step by step guide to supplement the documentation.

I am going to include information for incorporating both Facebook and Twitter support. If you would like to just include support for one or the other, please note that you will have to edit the example configurations and code appropriately.

Add Core Dependencies

First you will need to add the Spring Social jar files to your project. I use Maven to manage the dependencies of my app. If you do not, you will need to go to the Spring Social site, download the core, Twitter, and Facebook archives, decompress them, and copy the jar files into your application’s lib directory.

If you do use Maven, you will need to make the following changes to your pom.xml file:

1. I recommend you first add properties for the version numbers for the various libraries:

<properties>
    <spring-social.version>1.0.0.RELEASE</spring-social.version>
    <spring-social-twitter.version>1.0.0.RELEASE</spring-social-twitter.version>
    <spring-social-facebook.version>1.0.0.RELEASE</spring-social-facebook.version>
</properties>

Note that the Facebook and Twitter libraries are on their own release schedules and will not necessarily always have the same version number as the core Spring Social libraries. Hence, they should have their own version properties.

2. Add the following dependencies:

    <!— Spring Social Core —>
    <dependency>
      <groupId>org.springframework.social</groupId>
      <artifactId>spring-social-core</artifactId>
      <version>${spring-social.version}</version>
    </dependency>
    <!— Spring Social Web (contains login/signup controllers) —>
    <dependency>
      <groupId>org.springframework.social</groupId>
      <artifactId>spring-social-web</artifactId>
      <version>${spring-social.version}</version>
    </dependency>
    <!— Spring Social Twitter —>
    <dependency>
      <groupId>org.springframework.social</groupId>
      <artifactId>spring-social-twitter</artifactId>
      <version>${spring-social-twitter.version}</version>
    </dependency>
    <!— Spring Social Facebook —>
    <dependency>
      <groupId>org.springframework.social</groupId>
      <artifactId>spring-social-facebook</artifactId>
      <version>${spring-social-facebook.version}</version>
    </dependency>

Optional Dependency: Spring Security Crypto

If you plan to use Twitter or any other OAuth1 service provider, or you plan to encrypt the OAuth token/secret values of your users in your database (which is a good idea), you’ll want to also include the Spring Security Crypto library. Unfortunately, this library is only available in Spring Security 3.1 which has not had a final release yet. If you are not using Maven, you will need to get the jars from the Spring Security downloads page. If you are using Maven, you will first need to add the following repository:

<repositories>
    <repository>
        <id>org.springframework.maven.milestone</id>
        <name>Spring Maven Milestone Repository</name>
        <url>http://maven.springframework.org/milestone</url>
    </repository>
</repositories>

Then with that repository in place you can add the Spring Security Crypto dependency:

    <!— Spring Security Crypto, required if you use: —>
    <!—   any OAuth1 service provider (e.g. Twitter) —>
    <!—   the provided JDBC connection repository classes —>
    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-crypto</artifactId>
      <version>3.1.0.RC3</version>
    </dependency>

Social User Connection Entity

OK! The first thing you will want to do now that you’ve added your dependencies is figure out how you are going to persist social connection information for your users.

The reference documentation explains that Spring Social Core comes with classes for persisting connection info to a relational database using JDBC. A SQL file is provided in the core jar which you can use to create the necessary table. If you use the SQL and provided classes you do not need to write an entity class to model that data.

I personally use JPA annotations and Hibernate (managed by Spring). So I went ahead and wrote an entity class to model the social connection data:

@Entity
@Table(uniqueConstraints = {@UniqueConstraint(columnNames = { “userId”, “providerId”, “providerUserId” }),
                            @UniqueConstraint(columnNames = { “userId”, “providerId”, “rank” })})
public class SocialUser {

@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private int id;

/**
   * A local identifier for the user, in our case the username.
   */
private String userId;

@Column(nullable = false)
private String providerId;

private String providerUserId;

@Column(nullable = false)
private int rank;

private String displayName;

private String profileUrl;

private String imageUrl;

@Column(nullable = false)
private String accessToken;

private String secret;

private String refreshToken;

private Long expireTime;

private Date createDate = new Date();

…

// getters and setters omitted for brevity

}

This class is based on the SQL definition provided in the Spring Social reference documentation, with the addition of a numerical auto-generated primary key (mostly out of habit I guess), and a create date timestamp for my own information.

Here is a brief overview of the fields:

userId - the reference documentation is not very specific about what value should be used in the “userId” column/field, but based on feedback from the Spring Social forum and from trial and error I suggest using your user’s unique username in your application
providerId - this is the string provider id value, e.g. “facebook”, “twitter”, etc.
providerUserId - this is the user’s unique id in the provider’s system
rank - Spring Social actually allows for 1-n accounts per provider per user (e.g. multiple Facebook accounts associated with one user in your application), and this value determines the order of importance of those accounts; generally though there will just be 1 account per provider per user and this value will generally be 1
displayName, profileUrl, imageUrl - some profile data fields that may or may not be sent to your application by the provider
accessToken, secret, refreshToken, expireTime - these are the OAuth credentials and related information, and you will likely want to encrypt the accessToken and secret values in your database

Implement Connection Persistence Interfaces

As mentioned in the reference documentation there are two interfaces involved in connection persistence:

ConnectionRepository - handles connection persistence methods for one specific user; the implementation bean will be request scoped, created for logged in users of your application
UsersConnectionRepository - handles connection persistence methods across all users; this will be a normal singleton bean in your application context

Spring Social Core comes with implementations that work with a relational database using JDBC. If you use those implementations, you do not need to write your own implementations of these interfaces. More information will be presented later about configuring your app to use those classes.

If you use JPA for your persistence code in your application, you may want to look at this user contributed Spring Social JPA project. I attempted to use that code but felt like it didn’t match up well with how I had structured the code in my app. However, it was a good starting point for my own implementations of ConnectionRepository and UsersConnectionRepository. There are a lot of queries involved and you also have to do some transformation of method arguments and query results to get things working, and some of that work has been done for you in the JPA project.

I personally use Hibernate and Spring for my persistence code, so I wrote a SocialUserDAO interface and implementation. Here are the important finder methods from the DAO:

List<SocialUser> findByUserId(String userId);

List<SocialUser> findByUserIdAndProviderId(String userId, String providerId);

List<SocialUser> findByUserIdAndProviderUserIds(String userId, MultiValueMap<String, String> providerUserIds);

SocialUser get(String userId, String providerId, String providerUserId);

List<SocialUser> findPrimaryByUserIdAndProviderId(String userId, String providerId);

Integer selectMaxRankByUserIdAndProviderId(String userId, String providerId);

List<String> findUserIdsByProviderIdAndProviderUserId(String providerId, String providerUserId);

List<String> findUserIdsByProviderIdAndProviderUserIds(String providerId, Set<String> providerUserIds);

Implementing most of these is fairly straightforward, with the exception of “findByUserIdAndProviderUserIds()”. Make sure that you get the boolean logic correct. You should use something like this pseudo query: “where userId = (userId) AND ((providerId = providerId1 AND providerUserId = providerUserId1) OR (providerId = providerId2 AND providerUserId = providerUserId2) … etc.)”.

Next I wrote an implementation of ConnectionRepository. This is the request scoped bean for logged in users, for working with a single user’s Spring Social connection information. This bean will be instantiated by the UsersConnectionRepository and will have its dependencies passed to its constructor.

public class SocialUserConnectionRepositoryImpl implements ConnectionRepository {

private String userId;
private SocialUserDAO socialUserDAO;
private ConnectionFactoryLocator connectionFactoryLocator;
private TextEncryptor textEncryptor;

public SocialUserConnectionRepositoryImpl(String userId, SocialUserDAO socialUserDAO,
                                            ConnectionFactoryLocator connectionFactoryLocator,
                                            TextEncryptor textEncryptor) {
    this.userId = userId;
    this.socialUserDAO = socialUserDAO;
    this.connectionFactoryLocator = connectionFactoryLocator;
    this.textEncryptor = textEncryptor;
}

…

Here’s a quick rundown of the fields/dependencies:

userId - the userId of the logged in user (as previously stated, this should be the unique username of the user in your application)
socialUserDAO - this is my DAO class, this may be different for you depending on how you handle your persistence
connectionFactoryLocator - this is the core interface of Spring Social, it provides access to connection factories for all the providers (e.g. Facebook, Twitter, etc.) that you have configured for your app
textEncryptor - a Spring Security Crypto class for encrypting/decrypting OAuth credentials stored in your database

Given these (or equivalent) dependencies, implementing the ConnectionRepository interface is relatively straightforward. You will likely need to write a few methods in your class to perform the following tasks:

creating a ConnectionData instance based on an instance of your local social user entity class (this is where you’d decrypt OAuth credentials)
creating a local social user entity instance based on a ConnectionData instance (this is where you’d encrypt OAuth credentials)
using the ConnectionFactoryLocator to create a Connection<?> instance from a ConnectionData instance

Next up comes implementing UsersConnectionRepository. Fortunately this interface only has three methods and is much simpler to implement than ConnectionRepository.

Your implementation should have the following or equivalent fields/dependencies:

a DAO or other class for your social user entity data access methods
an encryption password, provided from a configuration file, used to initialize the TextEncryptor
a ConnectionFactoryLocator and a TextEncryptor (these will just be used as constructor arguments when instantiating your ConnectionRepository implementation for users)
you may also want a configurable boolean that turns encryption/decryption on and off so that you can disable encryption of OAuth tokens in development

Here is an example of how you can initialize your TextEncryptor instance in code (instead of XML) if you so choose:

@PostConstruct
public void initializeTextEncryptor() {
textEncryptor = Encryptors.text(encryptionPassword, KeyGenerators.string().generateKey());
}

Next Time: Spring Social, MVC, and Security Configuration

That’s all for Part 2. Next time we will pick up with configuration of your ConnectionRepository and UsersConnectionRepository implementations, as well as the core Spring Social class, ConnectionFactoryLocator, and ConnectionFactory implementations for Facebook and Twitter. From there, we’ll implement two more interfaces, for Spring Social Web, and begin modifying the MVC portion of our app.

On to Part 2!