This blog explains about securing an ADF application using the Google Sign in Functionality which uses the OAuth 2.0 security framework
Prerequisites
- Google API Access credentials (Client ID, Client Secret). Set it up here https://code.google.com/apis/console/
- Set up allowed Redirect URIs at Google API → API Access. Input: http://localhost:8080/OAuth2v1/index.jspx
- Download the google api client jar from this link
- Use the following Google Helper Class code to build and read the requests
package view;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeRequestUrl;
import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson.JacksonFactory;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.Arrays;
public class MyGoogleHelperClass {
private static final String CLIENT_ID = "YOUR CLIENT ID";
private static final String CLIENT_SECRET = "YOUR CLIENT SECRET";
private static final String CALLBACK_URI = "YOUR CALL BACK URI";
private static final Iterable SCOPE = Arrays.asList("https://www.googleapis.com/auth/userinfo.profile;https://www.googleapis.com/auth/userinfo.email".split(";"));
private static final String USER_INFO_URL = "https://www.googleapis.com/oauth2/v1/userinfo";
private static final JsonFactory JSON_FACTORY = new JacksonFactory();
private static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
private String stateToken;
private final GoogleAuthorizationCodeFlow flow;
public MyGoogleHelperClass() {
super();
flow = new GoogleAuthorizationCodeFlow.Builder(HTTP_TRANSPORT,
JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, SCOPE).build();
generateStateToken();
}
public String buildLoginUrl() {
final GoogleAuthorizationCodeRequestUrl url = flow.newAuthorizationUrl();
return url.setRedirectUri(CALLBACK_URI).setState(stateToken).build();
}
private void generateStateToken(){
SecureRandom sr1 = new SecureRandom();
stateToken = "google;"+sr1.nextInt();
}
public void setStateToken(String stateToken) {
this.stateToken = stateToken;
}
public String getStateToken() {
return stateToken;
}
public String getUserInfoJson(final String authCode) throws IOException {
final GoogleTokenResponse response = flow.newTokenRequest(authCode).setRedirectUri(CALLBACK_URI).execute();
final Credential credential = flow.createAndStoreCredential(response, null);
final HttpRequestFactory requestFactory = HTTP_TRANSPORT.createRequestFactory(credential);
// Make an authenticated request
final GenericUrl url = new GenericUrl(USER_INFO_URL);
final HttpRequest request = requestFactory.buildGetRequest(url);
request.getHeaders().setContentType("application/json");
final String jsonIdentity = request.execute().parseAsString();
return jsonIdentity;
}
}
Implementation Steps
1. Create a Fusion Application. In the Model create a WSDC of a WS which returns an complex employee Object
2. In the View Controller, create a jspx page i.e DCPage
3. Drag and Drop the Return type node of the method onto the page as ADF Table
4. Create another index.jspx page with a backing bean, then create a command menu button/link and then bind to the method in the backing Bean which contains code as shown below
public void verifytheUser(ActionEvent awt)
{
FacesContext context = FacesContext.getCurrentInstance();
MyGoogleHelperClass ghc = new MyGoogleHelperClass();
String urlPath = ghc.buildLoginUrl();
try {
context.getExternalContext().getSessionMap().put("StateToken",ghc.getStateToken());
context.getExternalContext().redirect(urlPath);
} catch (IOException e) {
System.out.println(e);
}
}
5. Run the index.jspx page and click on the action button/link, we can see that the page is navigated to the Google Sign-In Page where the user is prompted to login with his credentials
6. If Login is successful, the user is asked to allow the application to access his resource, once accepted the page will be redirected back to the Callback URI
7. In the CallBack Page, get the following request parameters from the redirect uri. here we should check that the state which we sent while making the request matches with the state sent as query param along with the redirect uri. This Security is needed to avoid CSRF Hacking.
public void gettheUserdata()
{
FacesContext context = FacesContext.getCurrentInstance();
Map hm = context.getExternalContext().getRequestParameterMap();
GoogleHelperClass ghc = new GoogleHelperClass();
// This needs to be verified to Avoid CSRF(Cross-Site Request Forgery)
String sentState = (String)context.getExternalContext().getSessionMap().get("StateToken ");
try {
if(hm.containsKey("code")&&(sentState.equalsIgnoreCase(hm.get("state"))))
{
String userInfo = ghc.getUserInfoJson((String)hm.get("code"));
context.getExternalContext().getSessionMap().put("USERNAME",extracttheName(userInfo));
context.getExternalContext().redirect("DC PAGE URL");
} else{
context.getExternalContext().redirect("ACCESS DENIED URL");
}
}catch (IOException e) {
}
}
public String extracttheName(String jsonStr)
{
String nmeoftheUser=null;
try {
JSONArray array = new JSONArray("["+jsonStr+"]");
for (int i = 0; i < array.length(); i++) {
JSONObject element = array.getJSONObject(0);
NmeoftheUser = element.get("name");
}
} catch (JSONException e) {
System.out.println(e);
}
return nmeoftheUser;
}
- Code
- State
