版權說明:本文檔由用戶提供并上傳,收益歸屬內容提供方,若內容存在侵權,請進行舉報或認領
文檔簡介
1、<p> OpenID for Java Web applications, Part 1: Enable your Java Web applications to use OpenID authentication</p><p> J Steven Perry, Principal Consultant, Makoto Consulting Group, Inc.</p><
2、;p> J. Steven Perry is an independent software development consultant and has been developing software professionally since 1991. Steve has a passion for software development, and enjoys writing about software develo
3、pment and mentoring other developers. He is the author of Java Management Extensions (O'Reilly) and Log4j (O'Reilly), and Joda-Time (which he wrote for IBM developerWorks). In his spare time he hangs out with his
4、 three kids, rides his bike, and teaches yoga. Steve is the owner and princi</p><p> Summary: OpenID is a decentralized authentication protocol that makes it easier for users to access resources in yo
5、ur Java? Web applications. In this first half of a two-part article, you'll learn about the OpenID Authentication Specification and walk through the steps of incorporating it into a sample Java application. Rather th
6、an implement the OpenID Authentication specification by hand, author J. Steven Perry uses the openid4java library and a popular OpenID provider, myOpenID, to create a s</p><p> Tags for this article:
7、authentication, java, openid, openid4java, sign-on, single, steve_perry, webs</p><p> OpenID is a decentralized authentication mechanism. Using OpenID, I can prove I own a URI such as http://openid.jsteven
8、perry.com/steve, and I can use that identity to authenticate myself with any site that supports OpenID — such as Google, Slashdot, or Wordpress. Clearly, Open ID is great for end users. But using it got me to thinking: &
9、quot;What about using OpenID to create a standard, reliable authentication system for the Java-based Web applications I write for my customers?"</p><p> In this two-part article I will show you how to
10、use the openid4java library and a well-known OpenID provider, myOpenID, to create an authentication system for a Java-based Web application. I'll also show you how to receive user information with an OpenID Simple Re
11、gistration Extension (SReg).</p><p> I'll start by explaining what OpenID is and showing you how to get an OpenID of your own. Next, I will present a brief overview of how OpenID authentication works. F
12、inally, I will walk through the steps involved in performing OpenID authentication using openid4java. In the second half of this article, you'll learn how to create your own OpenID provider. </p><p> Th
13、roughout the discussion I'll be working with a Wicket-based Java Web application that I wrote specifically for this article. You can download the source code for the application any time. You also might want to take
14、a look at the openid4java library (see Resources).</p><p> Note: This article focuses on using OpenID for Java Web applications, but OpenID works in any software architectural scenario.</p><p>
15、 Introduction to OpenID</p><p> OpenID is a specification for proving a user owns an identifier. For now, just think of an identifier as a String that uniquely identifies a user. If you're like me, you
16、 own many identifiers or userids. I have a userid at Facebook, another at Twitter, and others at dozens of sites that I use around the Internet. I always try to use the same userid but it's not available on every new
17、 site I sign up for. So, I have a mental map of all of my userids and the Web sites they're associated with. What a</p><p> OpenID solves exactly this problem. Using OpenID, I claim an identifier and us
18、e it on any site or Web resource that has adopted the protocol. The latest figures (from the OpenID Web site) say that more than 50,000 Websites support OpenID, including Facebook, Yahoo!, Google, and Twitter.</p>
19、<p> OpenID authentication</p><p> OpenID authentication is at the heart of OpenID, and consists of three main concepts:</p><p> The OpenID Identifier: A String of text that uniquely id
20、entifies the user.</p><p> The OpenID Relying Party (RP): An online resource (probably a Web site, but it could be a file, an image, or pretty much anything you want to control access to) that uses OpenID t
21、o identify who can access it.</p><p> The OpenID Provider (OP): A site where users can claim an OpenID and subsequently sign-in and authenticate their identity for the benefit of any RP. </p><p&g
22、t; The OpenID Foundation is a consortium whose members are interested in promoting open source identity management through the OpenID specification.</p><p> How does OpenID work?</p><p> Supp
23、ose a user is attempting to access a resource that is part of an RP's Web site, and the RP uses OpenID. To access the resource, the user must present his OpenID in a form that can be recognized (normalized) as an Ope
24、nID. The OpenID is encoded with the OP's location. The RP then takes the user's identifier and redirects the user to the OP, where he will be required to prove his claim to that ID.</p><p> Let'
25、s briefly consider each component of the OpenID specification and its role in this process.</p><p> OpenID Identifiers</p><p> At the heart of OpenID is, of course, the OpenID Identifier. An O
26、penID Identifier (or just "identifier") is a human-readable String of characters that uniquely identifies someone. No two users have the same OpenID, and that's what makes OpenID work. By following stipulat
27、ions in the OpenID Authentication Specification Version 2.0, OpenID RPs are able to decode (or "normalize") an identifier to figure out how to authenticate a user. In the operational world of OpenID, where we a
28、s developers write </p><p> User-Supplied Identifier </p><p> Claimed Identifier </p><p> As the name suggests, a User-Supplied Identifier is the identifier supplied by the user
29、to the RP. The User-Supplied Identifier must be normalized into a Claimed Identifier, which is just a fancy way to say that the identifier supplied by the user is transformed into a standard form. The Claimed Identifier
30、can then be used to locate the OP through a process called discovery, after which the OP will authenticate the user.</p><p> OpenID Relying Party</p><p> It is normally the RP that is presente
31、d with a User-Supplied Identifier, which is normalized to a Claimed Identifier. The user's browser (the "User Agent") will be redirected to the OP so that the user can provide his or her password and be aut
32、henticated.</p><p> The RP neither knows nor cares about the specifics of how a Claimed Identifier is authenticated; it only wants to know whether the OP has successfully authenticated the user. If so, the
33、User Agent (again, probably the user's browser) is forwarded to the secure resource that the user was attempting to access. If the user cannot be authenticated, then the RP denies access.</p><p> Open I
34、D Provider (OP)</p><p> The OP, or OpenID Provider, is responsible for issuing Identifiers and performing user authentication. OPs also provide Web-based management of OpenIDs. OPs collect and hold the foll
35、owing basic information about each user:</p><p> E-mail address </p><p> Full name </p><p> Date of birth </p><p> Postal code </p><p><b> Count
36、ry </b></p><p> Primary language </p><p> When an OP is asked to authenticate a Claimed Identifier, the user's browser is directed to a sign-in page where the user is challenged to e
37、nter his password. At that point, control is with the OP. If the user is successfully authenticated, then the OP directs the browser to a location specified by the RP (in a special "return-to" URL). If the user
38、 cannot authenticate, he will probably receive a message from the OP that his authentication attempt failed (at least that's the case with ClaimID and</p><p> Becoming an OpenID Relying Party</p>
39、<p> So now you know about the major components of OpenID and how they fit together. For the remainder of the article, we'll focus on writing an OpenID Relying Party (RP) using the open source openid4java libr
40、ary.</p><p> The first step in using OpenID is to get an identifier. It's easy to do: just go to myOpenID and click the SIGN UP FOR AN OPENID button. Pick an OpenID like redneckyogi or jstevenperry (bot
41、h of which are mine, by the way). The sign up form will tell you whether the userid you've chosen is already taken. If not, you'll be instructed to enter a password, an e-mail address, some text in a JCaptcha-sty
42、le text box (you're not a bot, are you?), and that's it! </p><p> Some minutes later you'll get an e-mail at the address provided containing a link in it. Click the link to confirm your e-mail a
43、ddress and — congratulations! — you now have an OpenID!</p><p> Of course, as with any awesome technology there are numerous OpenID providers to choose from (see Resources for a complete list).</p>&
44、lt;p> To illustrate how quick and easy it is to get an OpenID, I signed up with accounts at myOpenID, Verisign, and ClaimID in the space of about 30 minutes. And that includes time spent entering detailed information
45、 and uploading a picture!</p><p> You may already have an OpenID</p><p> According to OpenId.net, Google, Wordpress, and other popular sites support OpenID. If you've signed up for any of
46、these sites you may already have an OpenID.</p><p> For instance, if you have a Yahoo! Account, you probably also have an OpenID (I did, and didn't even know it). You just use your Yahoo! ID when you si
47、gn in, and Yahoo is your OpenID Provider. You provide your Yahoo-based OpenID as whatever@yahoo.com and the RP will ask Yahoo to authenticate you (you can actually see this in action if you run the sample application tha
48、t accompanies this article).</p><p> About the sample application</p><p> As I said at the beginning of this article, I've written a Java Web application that uses openid4java to create a
49、simple OpenID Relying Party (RP). It is a simple application that you can build (as a WAR), drop into Tomcat, and run from your local machine. The sample application has a very tight focus: </p><p> The use
50、r enters her OpenID on a registration page.</p><p> The application verifies the Identifier (by directing the user to her OP to sign in).</p><p> Upon successful authentication, the applicatio
51、n retrieves the user's profile information from the OP, and directs the user to a Save page where she can review and save her profile information.</p><p> The information displayed on the Save page is p
52、ulled from the information available from the OP. </p><p> I wrote the application with Wicket because, well, I really like Wicket. But I've tried to minimize Wicket's "footprint" so that
53、it doesn't distract you from learning how to write an OpenID Relying Party.</p><p> The architecture of the sample application is divided into two areas of responsibility:</p><p> User int
54、erface written in Wicket </p><p> OpenID authentication — using the openid4java library </p><p> Of course the two areas intersect, but again, I have tried to keep overlap to a minimum to make
55、 it easier to follow the OpenID instructions, rather than getting distracted by the details of Wicket.</p><p> About openid4java and the sample application code</p><p> The OpenID Authenticati
56、on spec is complicated. If you implement specifications all the time, you'll probably be very comfortable writing your own implementation. As for me, I'm lazy. I don't want to do any more work than I have to
57、in order to solve the problem at hand, which is where the openid4java library comes into play. openid4java is an implementation of the OpenID Authentication specification that makes it much easier to use OpenID programma
58、tically.</p><p> The code listings that follow show the openid4java API calls an RP makes to use OpenID. One thing you may notice is how little code the sample application actually needs to make this happen
59、. openid4java really does make your life easier.</p><p> To reduce the Wicket footprint in the sample application, I've isolated the code that calls openid4java into its own Java class called Registrati
60、onService (located in com.makotogroup.sample.model). This class contains five methods that correspond to the usage of the openid4java API:</p><p> getReturnToUrl() returns the URL that the browser will be d
61、irected to once successful authentication has taken place.</p><p> getConsumerManager() is used to obtain an instance of the main openid4java API class. This class handles all of the code the sample RP appl
62、ication needs to perform authentication.</p><p> performDiscoveryOnUserSuppliedIdentifier() does what its name implies: it handles any potential problems that arise during the discovery process.</p>
63、<p> createOpenIdAuthRequest() creates the AuthRequest construct that is required to do the authentication.</p><p> processReturn() handles processing the authentication request's results. </p&
64、gt;<p> Writing the RP</p><p> The whole point of authentication is for the user to prove his or her identity. Doing this protects a Web resource from access by unwanted or malicious visitors. Once
65、the user has proved his identity, you decide whether or not to grant him access to the resource (though authorization is beyond the scope of this article). </p><p> The sample application for this article p
66、erforms a function common to many Web sites: user registration. It assumes that if the user can prove his identity then he is allowed to register. It's a simple premise, but it will demonstrate how a typical "co
67、nversation" with the OP goes and how to use openid4java to do it. Here are the basic steps:</p><p> Obtain the User-Supplied Identifier: The RP gets the user's OpenID.</p><p> Discove
68、ry: The RP normalizes the User-Supplied Identifier to determine which OP to contact for authentication and how to contact it.</p><p> Association: An optional step, but one I highly recommend, wherein the R
69、P and OP establish a secure communication channel.</p><p> Authentication request: The RP asks the OP to authenticate the user.</p><p> Verification: The RP requests userid verification from t
70、he OP and ensures the communication has not been tampered with.</p><p> Proceed to application: Following authentication, the RP directs the user to the resource he or she initially requested. </p>&
71、lt;p> Next, we'll look at each of these steps in detail, including code examples. As we progress through the sections below, I will use a single example to illustrate the OpenID authentication process from start
72、to finish.</p><p> Obtain the User-Supplied Identifier</p><p> This is the job of your RP application. In the working example, the userid is obtained on the application's OpenIdRegistratio
73、nPage. I enter my OpenID and click the Confirm OpenID button. The sample application (which acts as the RP) now has my User-Supplied Identifier. Figure 1 shows a screen shot of the sample application in action.</p>
74、<p> Figure 1. Obtaining the User-Supplied Identifier</p><p> In this case, the User-Supplied Identifier is redneckyogi.myopenid.com.</p><p> The UI code is responsible for two things
75、: making sure the user has entered text into the Your OpenID text box and submitting the form when the user clicks the Confirm OpenID button. Following confirmation, the application begins the call sequence. Listing 1 sh
76、ows the code for the OpenIdRegistrationPage that submits the form and makes this call sequence.</p><p> Listing 1. Wicket UI code to make the OpenID authentication call sequence using RegistrationService.ja
77、va</p><p> Try not to get too distracted by the example and how it fits into the Wicket UI code (though if you're curious, feel free to look at OpenIdRegistrationPage.java, from which Listing 1 was take
78、n). The important point here is that when the user clicks the button, the UI code delegates to the various methods of RegistrationService to call openid4java's API, doing three things (each of which is in bold in Lis
79、ting 1):</p><p> Perform discovery on the User-Supplied Identifier</p><p> Create the openid4java AuthRequest object that will be used to make the authentication request</p><p>
80、Redirect the browser to the OpenID provider </p><p> After redirecting the browser, the UI code is done and control is in the hands of the OP. Notice that myopenid.com is part of the identifier and the User
81、-Supplied Identifier is not a well-formed URL. Still, enough information is encoded in this identifier to allow openid4java to normalize and perform discovery on it. We will see that next.</p><p><b>
82、Discovery</b></p><p> The RP takes the User-Supplied Identifier and converts it to a form that can be used to determine two things: who the OpenID Provider (OP) is and how to contact the OP.</p>
83、<p> The process of discovery is used by the RP to determine how to make requests of the OP, and the key is the User-Supplied Identifier. But before the User-Supplied Identifier can be used for discovery, it must
84、 be normalized. The openid4java library actually does the heavy lifting to normalize the User-Supplied Identifier, so there's no need to cover the details of it here. </p><p> The two distinct forms are
85、:</p><p> XRI: Extensible Resource Identifier </p><p> URL: Uniform Resource Locator </p><p> In this article, we will look at URL examples. The User-Supplied Identifier from Fig
86、ure 1 is a URI missing a scheme, so as part of normalization, openid4java attaches "http://" to it and arrives at the Claimed Identifier http://redneckyogi.myopenid.com.</p><p> Encoded in the Cla
87、imed Identifier is the name of the OP, in this case, myOpenID. Because the Claimed Identifier is a URL, openid4java knows how to contact the OP — at http://myopenid.com — which it does.</p><p> Listing 2 (f
88、rom the sample application's RegistrationService class) shows how the RP uses openid4java to perform discovery.</p><p> Listing 2. Using openid4java to perform discovery</p><p> The class
89、at the center of openid4java's approach to OpenID authentication is ConsumerManager. openid4java has strict guidelines about how this class is to be used. For this reason, it is stored as a static class member and ac
90、cessed through the getConsumerManager() method (see RegistrationService.java in the sample application for more details).</p><p> In a single line of code (in bold in Listing 2) openid4java allows your code
91、 to normalize the User-Supplied Identifier and perform discovery on it. What is returned is a java.util.List of DiscoveryInformation objects. These can be treated as opaque objects. Just make sure to keep them because yo
92、u will need them if your RP implementation chooses to form an association with the OP (as the sample application does). </p><p> Association</p><p> Association is a way for the RP and the OP
93、to establish a shared secret (through Diffie-Hellman Key Exchange) to make their interactions more trusted and secure. Association is not required by the OpenID specification. Association is performed from the RP code wi
94、th a single call to the associate() method on ConsumerManager, as shown in Listing 3.</p><p> Listing 3. Using openid4java to establish association</p><p> This method returns the DiscoveryInf
95、ormation object that describes the results of the discovery (you may treat this object as opaque). The sample application stores the DiscoveryInformation object in a session because it will be needed later, as you will s
96、ee. This object is also required to make the authentication request, which we'll look at next.</p><p> Authentication</p><p> After the RP has successfully performed discovery on the User-
97、Supplied Identifier, it's time to authenticate the user. ConsumerManager is asked to build a special object called AuthRequest that will be used by the OP to process the authentication request.</p><p>
98、During this interaction, the OP will be asked to make use of an OpenID extension called SimpleRegistration (SReg for short); this extension enables the RP to request that certain attributes from the user's profile wi
99、th the OP to be returned in the response. Listing 4 shows the code to build the AuthRequest object and request the attributes using SReg.</p><p> Listing 4. Building the AuthRequest and using the SReg exten
100、sion</p><p> The first line in bold in Listing 4 shows the call to ConsumerManager.authenticate(), which doesn't actually make the authentication call. It simply takes the DiscoveryInformation object re
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網頁內容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
- 4. 未經權益所有人同意不得將文件中的內容挪作商業(yè)或盈利用途。
- 5. 眾賞文庫僅提供信息存儲空間,僅對用戶上傳內容的表現方式做保護處理,對用戶上傳分享的文檔內容本身不做任何修改或編輯,并不能對任何下載內容負責。
- 6. 下載文件中如有侵權或不適當內容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 計算機專業(yè)畢業(yè)外文翻譯--使用 eclipse 遠程調試 java 應用程序
- 130計算機專業(yè)畢業(yè)設計外文文獻翻譯:介紹java web開發(fā)
- 【精品文檔】433關于計算機專業(yè)網頁小程序有關的外文文獻翻譯:java web start和小應用程序applets
- 計算機畢業(yè)設計外文翻譯
- 計算機專業(yè)畢業(yè)設計外文翻譯--評價基于web的圖書館指令程序
- 【中英雙語】336關于計算機專業(yè)java web在線應用商店應用程序app設計有關 的外文文獻翻譯成品:使用java技術的web應用程序設計模型的比較研究(中英文雙語對照)
- 計算機專業(yè)畢業(yè)設計外文翻譯
- [雙語翻譯]計算機專業(yè)外文翻譯—云計算中的java web部署
- 計算機專業(yè)畢業(yè)設計外文翻譯--面向java開發(fā)人員的scala指南類操作
- 計算機專業(yè)畢業(yè)設計-外文翻譯
- 計算機專業(yè) java外文翻譯
- 【精品文檔】452關于計算機專業(yè)vm有關的外文文獻翻譯:java應用程序虛擬機的應用程序輔助的動態(tài)遷移
- 計算機專業(yè)畢業(yè)設計外文翻譯--spring的web mvc 構架模式
- 130計算機專業(yè)相關有關畢業(yè)設計外文文獻翻譯介紹java web開發(fā)
- 計算機專業(yè)畢業(yè)設計外文翻譯27
- 外文翻譯---計算機程序
- [雙語翻譯]計算機專業(yè)外文翻譯—云計算中的java web部署(原文)
- 計算機專業(yè)畢業(yè)設計外文翻譯--internet
- 外文翻譯--mysql和jsp的web應用程序
- 基于asp的web應用程序開發(fā)外文翻譯
評論
0/150
提交評論