I've been reviewing Tatyan's latest patch. It works, but it needs some work before it can be committed to trunk. Here are the problems/issues found and my proposed solutions for some. The ones with numbers are fixed in my workspace. Once I work through these issues I'll create a new patch and try to get consensus to commit it.
1) Problem: Requires modified version of Spring Security XSD file which won't
be available until Spring Security 2.0.4 is due out. The 2.0.1 schema files
did not have OPENID_PROCESSING_FILTER.
See this - http://jira.springframework.org/browse/SEC-927
Solution: Use the file src/META-INF/spring.schemas to override
the XSD included in the Spring Security jar with the one in
2) Problem: URL with "/" at end vs. those without
Solution: always strip trailing slash before storing or comparing OpenID URLs
*) Problem: Requires Spring Security 2.1, which is not due out for a long time
See this - http://jira.springframework.org/browse/SEC-935
Solution: We only need to wait for the Attribute Exchange stuff, which can
pre-populate the new user registration form. So for now we can use Spring
Security 2.0.3 (the latest) and comment out the attribute exchange code.
*) Problem: Login page does not explain the OpenID user name field.
Solution: add text to explain that user can login with either
username/password OR OpenID. Also, add OpenID icon to OpenID field.
*) Problem: Login page. After initial login, when you return to login page some
how the username field is being populated with your OpenID URL, which should
go in the OpenID username field.
Solution: UNKNOWN. Could be caused by the browser?
*) Problem: User attributes are stashed in hashtable in UserManager interface.
Solution: UNKNOWN. Store in session instead?
*) Problem: New user registration, if you choose to register using your OpenID
then you should not have to enter a password.
Solution: UNKNOWN. Allow both password and OpenID?
*) Locale/TZ should be populated by browser or server information and should
not default to Albanian/ACT.
Solution: UNKNOWN, but probably an easy fix.
*) Configuration does not allow enough options for OpenID. I would like to make
it possible to support these three configurations:
- OpenID disabled: completely turn off OpenID
- OpenID hybrid: allow username/password and OpenID logins
- OpenID only: allow login via OpenID only.