Announcement Announcement Module
Collapse
No announcement yet.
Authorize on two or more web applications simultaneously Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorize on two or more web applications simultaneously

    Hi,

    can you please give me a hint, how to authorize user on few web applications at the same time?

    I have:

    - EAR
    - - WAR 1 (example.com/)
    - - WAR 2 (example.com/shop/)
    - - ...
    - - WAR n (example.com/forum/)


    Every WAR is a Spring (+Security) based application. User is authenticated and authorized on WAR 1. When he swithes to any other WAR, he have to pass authentication again. How to bypass it?

    Thanks.

    - Lsync

  • #2
    Use a SSO solution (Single Sign On) ... You pass a SSO token around which is checked with the server.

    Comment


    • #3
      Hi Marten,

      thanks for reply. Do you know any non-server specific SSO solution(-s)? I will be grateful for the links.

      Comment


      • #4
        I suggest google and I don't quite understand your non-server specific part... The whole point of SSO is to be server agnostic else it beats the purpose of SSO (SSO is broader then web applications!).

        Comment


        • #5
          Sorry for my bad language. I mean "no 'server-specific'", because the only reasonable SSO solution that I can find - is to use SSO Valve for Tomcat/JBoss. So it will be great to find more versatile way. Can you help with this?

          Also I found that "remember-me" cookie can help, but this hack brokes standard "remember me" functionality. Too bad.

          Or maybe I can programmatically log-in user in all my Spring Security guarded applications, when he authorizes in one of them?

          Comment


          • #6
            I think you want a "server-specific" solution as all of your web apps are deployed on the same app server, let alone the same ear. Do not confuse "server-specific" with vendor lock in. The SSO Valve for Tomcat, the LTPA cookie for Websphere, etc.. all work the same way. The container will populate the request.getUserPrincipal for you. You can use Spring's J2eePreAuthenticatedProcessingFilter to leverage this.

            If you want true SSO across different domains, you would have to use CAS or SAML or some other proprietary vendor (i.e. Siteminder). This is way more difficult.

            Good luck.

            Comment


            • #7
              Guys,

              according to this:
              http://static.springsource.org/sprin...rence/cas.html
              and this:
              https://wiki.jasig.org/display/CASC/...pring+Security

              I must give access to user's credentials (including passwords!) both to CAS and (every) web application. CAS needs them for authentication, and applications - for authorization and assigning a role. Am I right?

              Comment


              • #8
                The documentation may be a bit misleading unless you read the details. The passwords are not used when authenticating with CAS, but Spring Security does require a way to determine which roles the user has. This can be done using the UserDetailsService (which also provides passwords but they can be null values since they are not used) or it can be done using the GrantedAuthorityFromAssertionAttributesUserDetails Service set on the CasAuthenticationProvider instead. In this instance you must be sure to setup the CAS server to return the roles in the CAS response.

                Comment


                • #9
                  Done this part, thank you guys for help. I've tried CAS, OAuth for Spring Security and Remember-me cookie alone as SSO solutions. All works perfect, but has its own pros and cons.

                  Next step I want to implement - to have all the best of two worlds: CAS and remember-me. First I'll explain why:
                  - I want to use CAS as an enterprise solution;
                  - each application is developing by its own team, so they are independent from each other (have their own sessions);
                  - I want to emmediately authorize user in all applications, when he/she is authenticated with CAS.

                  So I plan to use this simple scheme:
                  1. Each application is configured to have both CAS and remember-me as authentication providers.
                  2. When user is authenticated by any application, this application sets remember-me cookie, that visible to all (path="/" and domain=".exmple.com").
                  3. When any other application see this cookie, it automatically authorises the user (full workflow drawing).

                  It's the simplest way I see to make SSO on both protected and unprotected pages (I need SSO on unprotected pages to render user name on them).

                  The question is: will that scheme work properly, or I have to research another one?

                  Comment


                  • #10
                    Look at CAS's single signon/off functionality. Your rememberme approach won't work because none of your applications will have access to the other's cookies.

                    Also - note that having authentication to non protected pages is a security issue.

                    Comment


                    • #11
                      Originally posted by arthomps View Post
                      Look at CAS's single signon/off functionality
                      arthomps, I'd love to! But I haven't found any CAS solution that lets me do the simplest thing: render the user name (or login invitation) on every site page.

                      It's because of:
                      - applications have their own sessions;
                      - when user logs in to any of them, others don't even know about that! That's what the remember-me cookie for.

                      Here is a little conversation about that (sorry for external link), maybe you can say some words, that explain the situation?

                      Comment


                      • #12
                        Each application must consult the CAS server (as explained in the thread) as soon as a user is authenticated and you enter a new application CAS is consulted, Spring Security (for that app) creates the SecurityContext and you can do whatever you want. What you do with the remember-me cookie is basically the thing that you must let CAS do...

                        The latter should be configured in Spring and should be transparent (so basically every request already goes to CAS when you have configured things correctly)...

                        Comment


                        • #13
                          Originally posted by Marten Deinum View Post
                          basically every request already goes to CAS
                          Wow... Is it really true? Our clients often have high load applications, so make a request to CAS per every page is too expensive. Is it really better solution, than use remember-me and have only one CAS request to authenticate user on the whole site?

                          Originally posted by Marten Deinum View Post
                          What you do with the remember-me cookie is basically the thing that you must let CAS do...
                          Truly agree with that. Unfortunately, CAS only has a Single Sign Out callback. We really need the same to Sign In...
                          Last edited by Lsync; Oct 3rd, 2012, 07:08 AM.

                          Comment


                          • #14
                            Wow... Is it really true?
                            Well actually no ... If you hit a page that requires authentication then you hit the CAS server, now if enter a page that requires authentication it will go to CAS and (if I recall correctly) due to the fact you are already authenticated get the id etc. back. Spring Security will use this to load the user. (So actually only 1 request per application goes to CAS)..

                            CAS will give you a Ticket (Ticket Granting Ticket) which can be used by other applications to verify if the user is valid/loggedin, this gives you the SSO behavior you want...

                            So as mentioned before what you are trying to do with the remember-me hack is already how things should work with CAS.

                            Truely agree with that. Unfortunately, CAS only has a Single Sign Out callback. We really need the same to Sign In...
                            No you don't... You don't want to automatically be logged in to all applications you have access to (this isn't how SSO works in general). SSO works in that you authenticate once, get a ticket/token/whatever, which can be supplied to other applications (instead of the username/password) the other application consult a global service (in this case CAS in others the Windows Domain Controller or something like that) if the ticket is valid.

                            So SSO doesn't mean, I login once and now are logged in to all my applications at once.. It means I provide my credentials once and automatically authenticate to other applications when I open them.

                            Comment


                            • #15
                              Originally posted by Marten Deinum View Post
                              CAS will give you a Ticket (Ticket Granting Ticket) which can be used by other applications

                              Hmm.. I think I'm beginning to understand. If app1 takes the ticket and (by some magic way) shares it with others on the same server, any application now can request user's credentials from CAS. Great!

                              But what is this magic sharing way? Does Spring Security support it? Or I can place tickets to shared DB or JNDI, for example... I hope this won't break any CAS flow.

                              I have to think about it. Maybe it'll be even simpler and definitely better solution, than remember-me hacking. Thanks a lot!

                              Originally posted by Marten Deinum View Post
                              You don't want to automatically be logged in to all applications you have access to
                              That's right. I meant a group of applications on the same domain (and only), where I really want it.

                              Comment

                              Working...
                              X