0

I need to make sso for applications and combile user table.

I want to use spring security with email authentication, without username or password.

How can I do this?

My limittations:

  • Single user can authenticate with multiple emails (Like github)
  • User can manage all authentication state and expire specific authentication. (In profile page)
  • No password. No string username or id. (Because no service supports basic login)
    --- EDIT ---
  • OAuth 2.0 / 1.0a Authentication

Generated scheme: (Is this proper for this case?)


create table hib_authentication (
        id BIGINT UNSIGNED not null auto_increment,
        firstAuthenticatedTime TIMESTAMP DEFAULT CURRENT_TIMESTAMP not null,
        ip VARBINARY(16) not null,
        browser VARBINARY(24) not null,
        lastAuthenticatedTime TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP not null,
        user_id INT UNSIGNED not null,
        primary key (id)
    ) ENGINE=InnoDB;
    create table hib_user (
        id INT UNSIGNED not null auto_increment,
        country SMALLINT UNSIGNED not null,
        created TIMESTAMP DEFAULT CURRENT_TIMESTAMP not null,
        locale varchar(255) not null,
        timeZone varchar(255) not null,
        primary key (id)
    ) ENGINE=InnoDB;
    create table hib_user_email (
        id BIGINT UNSIGNED not null auto_increment,
        email varchar(255) not null,
        user_id INT UNSIGNED not null,
        primary key (id)
    ) ENGINE=InnoDB;
    create index index_to_get_authentication_by_user on hib_authentication (user_id);
    alter table hib_user_email 
        add constraint UK_isuygi7fmcwnlht8f4plckt6n  unique (email);
    create index index_to_search_email_by_user on hib_user_email (user_id);
    alter table hib_authentication 
        add constraint authentication_belongs_to_user 
        foreign key (user_id) 
        references hib_user (id);
    alter table hib_user_email 
        add constraint email_belongs_to_user 
        foreign key (user_id) 
        references hib_user (id);
ceram1
  • 515
  • 1
  • 6
  • 19
  • So if I know someones emailaddress i can use the service. That isn't really secure imho. Basically your emailaddress is the username (there is nothing stating that it cannot be an emailaddress it is just a label for a field). The managing part is spring security that is your own usecase to implement. Spring security will only check if a user exists, has proper credentials (whatever those maybe in your case) and has proper rights to access what he tries to access. – M. Deinum Jul 17 '14 at 05:39
  • @M.Deinum Sorry. I forgot to write about oauth. And why I want to use spring security is only oauth.. – ceram1 Jul 17 '14 at 05:59
  • Check this [post][1] : It explains how to bypass login-forms [1]: http://stackoverflow.com/questions/9902783/preauthentication-with-spring-security-based-on-url-parameters/9919988#9919988 – Kerem YILDIZ Jul 17 '14 at 06:12
  • @KeremYILDIZ Thanks. I think it can be solution for 'no password' and 'multiple email per user'. But my boos requested a feature to manage authentication list, see login history or somethnig. – ceram1 Jul 17 '14 at 07:13

0 Answers0