Zaczynam małą serię, w której będę pokazywał widoki z okien i balkonów, jakie nazbierały mi się przez lata. Jako okna traktuję też szyby samochodów, pociągów, statków, samolotów.
#1, Heiligenhaus, Niemcy, grudzień 2008
I really don’t want to keep too much of my users’ data in my database. Say, passwords. What if I misconfigure an endpoint and they leak? What if my database provider leaks the DB and hashing algorithm becomes obsolete? Luckily, I can easily get rid of that issue with enabling login via other providers. OAuth2 protocol is a way to go in this case. For the beginning, one provider is enough. I chose Google as this is the one that has the biggest market penetration. What did I have to do?
One of them (spring-boot-security-starter) was already in my project. I needed also spring-security-oauth2 package.
There is a set of properties that needs to be added to your application-[profilename].properties file. I wanted to get a public profile and e-mail of my users so in future I’ll be able to identify the users by their e-mail address, hence the „profile email” scope. You’ll need to replace SAMPLE_CLIENT_ID and SAMPLE_CLIENT_SECRET with values obtained from your Google API Console. You’re likely not to want to put that values into your public repositories.
With Spring there are several options for providing security configuration – most popular is either XML or Java code-based configuration. We’re using the second one here, leave index.html as a non-restricted page and everything else as requiring the user to log in. In future I expect it to change so that most of the assets is public. The most important part of this configuration is @EnableOAuth2Sso annotation which triggers using the properties from the file above and sets up default login endpoint.
I don’t have any real business logic in the application yet, so as an example I decided to create a REST endpoint that will return logged in user’s data. The endpoint will require authentication as defined in the above security configuration file.
We have a nice index.html page with Bootstrap and Vue.js (I’ll write about this later), on which there now is a „Login with Google” link:
When we click on it, we’re redirected to Google login page.
After successful login and giving all required permissions, we’re redirected to the user page. We see a lot of data and several fields which just in case I won’t show in full 😉
As you see, there is already some information about the logged in user inside our Principal object, among them a name, surname and e-mail address. We’ll likely save that data somewhere to keep information about our user and display them on request.
All changes that were required for adding login are also provided in this commit.
Open Source community is all about sharing. If you take a look at the definition of Open Source software, it is computer software with its source code made available with a licence in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose (source). I bolded the word ‚licence’ as this is quite an important part of the definition. Github terms of service state the following:
By setting your repositories to be viewed publicly, you agree to allow others to view and „fork” your repositories (this means that others may make their own copies of your Content in repositories they control).
If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to access your Content through the GitHub Service, and to use, display and perform your Content, and to reproduce your Content solely on GitHub as permitted through GitHub’s functionality. You may grant further rights if you adopt a license.
It basically means that while people can fork your repository, they aren’t allowed to experiment with it, modify it or share it in different locations.
I wrote a Python script to check that (MIT-licensed ;)). Let’s take a look at the stats:
|GNU Affero GPL||3|
|BSD 3-clause Licence||3|
Out of 832 repositories at the moment of writing, 492 (59%) had some code but didn’t have any licence yet (there might be some that used non-standard locations for licences – I checked for the existence and content of LICENSE file in root directory). 155 other repositories (19%) still are empty. That means that only 22% of contest code is now licensed in a way that is actually Open Source.
Which licences do people use most often?
The simplest option is MIT – you basically allow others to use the code as they wish, also in commercial projects. A companies-friendly licence is also Apache Licence. If you want to force others that use your code (i.e. as a library) to also publish their code under a compatible licence, think about GNU GPL. That might mean that commercial entities will hesitate from using your code. At the company I’m working at we’re always making sure we don’t use GPL licenced libraries in our projects. It doesn’t mean though that you cannot use GPL-based software (such as GIMP or NetBeans) in the commercial environment without sharing your results – it’s only if you use it as a dependency.
If you need better guidance, take a look at choosealicence.com.
Feel free to correct me if I got anything wrong, and, for those of you that haven’t done it yet, choose a licence, Luke!