Announcement Announcement Module
Collapse
No announcement yet.
Suggest on right authentication mechanizm Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Suggest on right authentication mechanizm

    Hi,

    I'm looking for suggestion on the right authentication mechanism for the following architecture.

    One web application war with mostly static content.
    Multiple other applications wars which exposes RESTFull API with Spring MVC for:
    1) Web clients
    2) Other applications wars which might consume services of each other (inter app communication). Consuming applications clients uses RestTemplate for sending REST requests to other applications.
    3) Northbound OSS clients
    All, web and other applications, run on different Tomcat instances.
    All, web and other applications, resides behind load balancer to allow SSO without cross site. So, from all clients perspective, all web and other applications, are behind the same host and port.

    So, now coming the main question, which authentication method to apply for such architecture ?

    CAS looks the best possible approach for SSO between applications. BUT I can't require from OSS clients to use CAS as it more fits when authentication occurs with web browser client. As well as, it is problematic to authenticate with CAS RestTemplate clients for inter applications communication. So, I thought to use HTTP Basic for programmatic clients (RestTemplate and OSS). However, how should I configure Spring Secuity to use both CAS and HTTP Basic ? According to which decision the authenticationEntryPoint will decide which authentication methods to invoke ? I thought to pass some query string parameter, according to which, I will invoke the right authentication, but then I let clients to choose authentication methods - not very secured.

    I also read about OAuth but we don't need authentication from 3rd parties and well as do not provide authentication for 3rd parties, so I don't see how OAuth fits in our architecture.

    Bottom line, I'm looking for suggestion, how would be better to solve authentication in such architecture ?

    Thanks,
    Pavel
Working...
X