Announcement Announcement Module
No announcement yet.
Multi-war security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multi-war security

    I am looking for ways to allow Spring Security in one war to act, in a sense, as a gateway for a number of wars all deployed to the same tcServer container.

    Basically, we are developing a series of web services and applications. They need to be able to be independently developed and deployed from one another, however we only want to manage security through one of the wars. The need for this stems from us having to integrate certain parts of these applications with our legacy ERP system, while the new ERP system is being developed. We will systematically replacing how these individual applications as the new functions of the ERP come online.

    I had a few thoughts on this, but wanted to see what others might have been doing in this situation.

    1. Use container auth, possibly with shared sessions, then Spring Security preauth in all other dependent wars
    2. CAS or JOSSO
    3. Manage it myself (not big on this one)

    What are your thoughts or experiences?


  • #2
    If it were me, I'd handle this situation on a war by war basis. Reasons being:

    1. You mention web services and SSO technologies like CAS. These play poorely together since SSO generally has a dependency on an http session.

    2. If you use any parts of spring security other then authentication (acl/url auth etc) - you're incurring maintenance costs to have to update that information for each of your apps.

    3. Individual apps are likely to have their own project plan / timeline that conflicts with other projects.