使用OpenID4Java的Spring Security 3.0谷歌Apps的开放ID登录

Question

我尝试使用谷歌Apps的公开识别码与OpenID4Java库签署。

我发现使用以下代码在消费类用户的服务：

        try
        {
            discoveries = consumerManager.discover(identityUrl);
        }
        catch (DiscoveryException e)
        {
            throw new OpenIDConsumerException("Error during discovery", e);
        }

        DiscoveryInformation information = consumerManager.associate(discoveries);
        HttpSession session = req.getSession(true);
        session.setAttribute(DiscoveryInformation.class.getName(), information);
        AuthRequest authReq;

        try
        {
            authReq = consumerManager.authenticate(information, returnToUrl, realm);

            // check for OpenID Simple Registration request needed
            if (attributesByProvider != null || defaultAttributes != null) 
            {
                //I set the attributes needed for getting the email of the user
            }
        }
        catch (Exception e)
        {
            throw new OpenIDConsumerException("Error processing ConumerManager authentication", e);
        }

        return authReq.getDestinationUrl(true);

接下来，我从HTTP请求获得的参数和在openid.claimed_id属性我接收“ HTTP：// domain.com/openid?id= ....”如果我尝试验证响应consumerManager.verify(receivingURL.toString(), openidResp, discovered);则抛出异常。org.openid4java.discovery.yadis.YadisException: 0x706: GET failed on http://domain.com/openid?id=... : 404:Not Found

要避免我试图修改参数列表中的异常改变值“ http://domain.com/ ？OpenID的ID = .... “到” HTTPS：/ /www.google.com/a/domain.com/openid?id= ....“

 // extract the receiving URL from the HTTP request
        StringBuffer    receivingURL = request.getRequestURL();
        String          queryString  = request.getQueryString();

        // extract the parameters from the authentication response
        // (which comes in as a HTTP request from the OpenID provider)
        ParameterList        openidResp = new ParameterList(request.getParameterMap());
        Parameter endPoint = openidResp.getParameter("openid.op_endpoint"); 
        if (endPoint != null && endPoint.getValue().startsWith("https://www.google.com/a/"))
        {           
            Parameter parameter = openidResp.getParameter("openid.claimed_id");
            if (parameter != null)
            {
                String value = "https://www.google.com/a/" + parameter.getValue().replaceAll("http://", "");
                openidResp.set(new Parameter("openid.claimed_id", value));
                queryString = queryString.replaceAll("openid.claimed_id=http%3A%2F%2F", "openid.claimed_id=https%3A%2F%2Fwww.google.com%2Fa%2F");
            }
            parameter = openidResp.getParameter("openid.identity");
            if (parameter != null)
            {
                String value = "https://www.google.com/a/" + parameter.getValue().replaceAll("http://", "");
                openidResp.set(new Parameter("openid.identity", value));
                queryString = queryString.replaceAll("openid.claimed_id=http%3A%2F%2F", "openid.claimed_id=https%3A%2F%2Fwww.google.com%2Fa%2F");
            }
        }

        if ((queryString != null) && (queryString.length() > 0))
        {
            receivingURL.append("?").append(queryString);
        }

        // retrieve the previously stored discovery information
        DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute(DiscoveryInformation.class.getName());

        // verify the response
        VerificationResult verification;

        Map userDetails = new HashMap();

        try
        {
            verification = consumerManager.verify(receivingURL.toString(), openidResp, discovered);

            // check for OpenID Simple Registration request needed
            if (attributesByProvider != null || defaultAttributes != null)  
            {
                //Here I get the value of requested attributes 
            }
        }
        catch (Exception e)
        {
            throw new OpenIDConsumerException("Error verifying openid response", e);
        }

        // examine the verification result and extract the verified identifier
        Identifier                  verified = null;
        if (verification != null)
        {
            verified = verification.getVerifiedId();
        }
        OpenIDAuthenticationToken   returnToken;
        List       attributes = null;

        if (verified != null)
            returnToken =  new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.SUCCESS, verified.getIdentifier(), "some message", attributes);
        else
        {
            Identifier id = discovered.getClaimedIdentifier();
            return new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.FAILURE, id == null ? "Unknown" : id.getIdentifier(), "Verification status message: [" + verification.getStatusMsg() + "]", attributes);
        }

现在的方法consumerManager.verify没有抛出了异常，但其状态更改为失败。在日志中的以下错误出现

09:46:45,424 ERROR ConsumerManager,http-80-1:1759 - No service element found to match the ClaimedID / OP-endpoint in the assertion.
09:46:45,428 ERROR ConsumerManager,http-80-1:1183 - Discovered information verification failed.

我看到一个论坛，类似的问题，但解决的办法是改变consumerManager.verify到consumerManager.verifyNonce。我不知道，如果使用这种方法不会产生安全问题。你有什么要我换作我开放ID用户与谷歌Apps的工作OpenID的任何想法？

Answer 1

谷歌Apps使用比是在OpenID4Java的基础版本支持一个稍微不同的发现过程。有在 http://code.google.com/p/step2/你可能在 http://code.google.com打有用的（和更高层次的包装/ p / OpenID的过滤器/ 。）

我不知道任何人做了与修改后的第二步类的Spring Security集成的，但它不应该太难修改代码以适当的设置第二步。它是建立在OpenID4Java和写入依赖方的代码大多是相同的。