17

Spring Security is great when the developer wants to secure his web app.

However, what about creating the account? and "forgot password"? most login pages have these links as well as the username and password fields. Spring's default login-page does not have these links... in the good case, it can support "remember me"...

Does Spring supports these flows, of Create Account, Forgot Password and Change Password? If the answer is yes, can you please point me to some documentations?

I've searched this issue but could not find anything.

Thanks!

OhadR
  • 8,276
  • 3
  • 47
  • 53
user3619976
  • 185
  • 1
  • 1
  • 6
  • 1
    I think the answer is no. Because these actions are not generic actions, they differ from one application to another. How does will spring know what fields are required in your registration form? or how you want to recover password? (via email. sms, etc..) – luizcarlosfx May 09 '14 at 12:43
  • 1
    I understand; but i thought maybe there is something generic that is customizable and extensible (like all other Spring projects...) – user3619976 May 09 '14 at 14:29
  • It's not so difficult to implement. Create account is a basic form. I've implement both 2 in my project and had no difficulty. To recover password I send an email to the user with an uniqueId (http://java.sun.com/javase/6/docs/api/java/util/UUID.html) and I have a controller that check that Id and if it's valid (stored in my user_request table) I forward the user to a page where he will define a new password, since the original password is encrypted. – luizcarlosfx May 09 '14 at 21:06
  • 1
    @luizcarlosfx: "It's not so difficult to implement" - but you have to make sure you take care of all cases. e.g. what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? what about the controller that will receive the click on the link and activate the account? and more and more... there is a lot of code to write, my friend. – OhadR May 10 '14 at 13:38
  • 1
    I cared about everything and I still saying that it's not so difficult. Spring offers a lot of cool features that makes it easy. First of all use hibernate validator to validate your user(check password size, username size and whatever you want), to check if a username exist I do ajax requests that check on database if the username is already used or if the user is disabled. Validate the email is very similar to recover password request. I just store a request code in the database in my user_request table and I have dedicated controllers for check the validity of these codes. – luizcarlosfx May 10 '14 at 14:44
  • Spring mail makes ease the action of sending emails. I send an email a link like this: http:localhost:8080/confirm-account?confirmation-code=56b823db-2975-490e-8795-9564f0742b9f – luizcarlosfx May 10 '14 at 14:45

2 Answers2

15

You are completely right. AFAIK there is no "generic" package that implements these flows. I've searched a lot for this kind of code a while ago, and found nothing. I think that @luizcarlosfx is right, that each application has its own needs, therefore it is hard to write something generic that fits all needs.

EDIT: I saw comments like "It's not so difficult to implement". True. But you have to make sure you take care of all cases. For example, what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? how fo you create this link? how do you encrypt it? what about the controller that will receive the click on the link and activate the account? and more and more...

However, I took it a step forward and tried to code something that will answer most flows - registration, forgot-password, change password etc, and something that will be secured enough so applications will be able to use it without the fear that it will be easily hacked.

I have implemented a JAVA project for this use case. It is open source, based on Spring-Security. A release version is on Maven-Central, so you do not need to compile it, but instead you can fetch it as maven-dependency to your project! 

<dependency>
    <groupId>com.ohadr</groupId>
    <artifactId>authentication-flows</artifactId>
    <version>1.5.0-RELEASE</version>
</dependency>

I think it answers your question...

There are explanations for everything (and if something is missing - let me know...)

You can find here an example for a client application's code (i.e. the usage).

This is the main page of the project plus a demo, and another demo is here (but this is an app that after upgrading to version 1.6.1 requires login with email with "nice" domain - nice.com. so you cannot really use it for demo; use the first example). This is a client web-app that uses the auth-flows, with the README with all explanations.

Hope that helps!

OhadR
  • 8,276
  • 3
  • 47
  • 53
  • looks good! cool! however, all form (and beans.xml) are in the **client** side, so the client still has to add stuff... – user3619976 May 10 '14 at 07:45
  • 2
    thanks :-) of course, the UI forms are something that each app wants it differently. so there is really no point to try and generalize the form. however, I have documented what fields should appear in these forms. – OhadR May 10 '14 at 17:36
  • @DirkConradCoetsee thanks! did you try it? do you use it in your app? i'm curious... – OhadR Sep 12 '14 at 14:38
  • Hi, I am busy trying it. Struggling a bit to implement it. Can I get in contact with you regarding some details? It contains literally everything I need. – D2TheC Sep 12 '14 at 14:41
  • sure. you can post here in SO your question(s), and tag them with `authentication-flows` – OhadR Apr 16 '15 at 12:47
0

I think appfuse is a tool for what you want. This lines are from it's documentation:

AppFuse comes out of the box with features that many applications need, including:

  • Authentication and authorization
  • User management
  • Remember Me (which saves your login information so you don't have to log in every time)
  • Password reminder
  • Signup and registration
  • SSL switching
  • E-mail
  • Extension-less URLs File upload
  • Generic CRUD backend
  • Full Eclipse, IDEA and NetBeans support
  • Fast startup and no deploy with Maven Jetty Plugin
  • Testable on multiple appservers and databases with Cargo and profiles
Dandelion
  • 744
  • 2
  • 13
  • 34