Announcement Announcement Module
Collapse
No announcement yet.
Multiple Authentication problem Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Authentication problem

    I have a web app that will be using Acegi using roles and voters. The app currently uses CAS as its authentication source. No issues. Now we need to have the app accessable via an extranet which acts as its own policy server. We can have the extranet entry point be a specific url but I can't figure out how to get a single security context to be supported by either internal (CAS) based authentication or external (extranet) based authentication.

    I was thinking of either plugging the extranet into the CAS server (which is Acegi based, has ProviderManager + multiple providers already) but can't think of how this work. Alternatively, I was wondering if it was possible to setup multiple authentication processing filters ...

    I'm beginning to think I will need to create two webapps (that share a common domain/service/controller/view base) but have different security configurations...

    Any thoughts?

  • #2
    You should be able to chain multiple authentication mechanisms (ie those that subclass AbstractProcessingFilter, such as CasProcessingFilter) and AuthenticationProviders in the same application. You might need to write your own custom AbstractProcessingFilter and AuthenticationProvider to process your extranet-specific authentication. I just described something similar at http://forum.springframework.org/showthread.php?t=18306.
    Last edited by robyn; May 14th, 2006, 07:35 PM.

    Comment


    • #3
      chaining multiple authentication mechanisms

      Thanks Ben for the quick reply. I'll look into that option and post my results.

      Comment


      • #4
        Link doesn't work.

        Originally posted by Ben Alex
        You should be able to chain multiple authentication mechanisms (ie those that subclass AbstractProcessingFilter, such as CasProcessingFilter) and AuthenticationProviders in the same application. You might need to write your own custom AbstractProcessingFilter and AuthenticationProvider to process your extranet-specific authentication. I just described something similar at http://forum.springframework.org/viewtopic.php?t=8997.
        Ben, I too would like to know how to do this (and see an example if you have one). But the link in your post no longer works. Can you give a working link please? Here's what we want to do:

        We have a webapp using Spring but some of our users will be coming in through the internet and others will be on an internal network. Based on the URL (an internal one and an external one) my boss wants acegi to have internal users login via an LDAP server and external ones will log in via a custom DAOAuthentication I wrote that checks users in a database.

        Right now we have it all working in 2 webapps, one internal and one external, but the apps themselves are the same exception one will be served behind our firewall.

        In short, I think I need the ability to have 2 acegi configs in one webapp. But if you have a cleaner solution I'm open to that. Either way, I need multiple authentication abilities. Can acegi do this?

        Thanks much for your help. I'm pretty stuck here.

        Comment


        • #5
          Sorry, I can't find the old post either.

          Take a look at the JavaDocs for ProviderManager. Basically you want to chain AuthenticationProviders so that first it tries your DaoAuthenticationProvider, and if not found, will try LdapAuthenticationProvider.

          Comment


          • #6
            Multiple domains the not-so-clean way

            I couldn't get the multiple provider chain to work in my case (have not given up on it tho, will research it more because it should work...). What we did to get around this was to modify CAS to support both trust and authentication schemes within the same CAS system. Quite a simple change if anyone is interested. So our apps only have the standard CAS plumbing and CAS handles the auth case and/or the trust case (which has grown to two trust sources!!). BTW, we also had to have the CAS system provide one of three different login screens depending on the login page needed by each webapp (I know, I know - what's so 'common' about our single sign on then... :-) )

            Anyway, we have a new issue that is related to CAS (I've checked there too) that maybe you folks have an idea on. We have multiple virtual IP's: one internet (e.g., x.y.com) and one intranet (e.g., internal.x.y.com). We would like to have SSO work with either IP. Currently this doesn't work because the TGT cookie used by CAS is associated with one domain or the other. We have this strange arrangement because 1) we are required to have a common customer/employee portal (strike one), and 2) employee's can access the internet VIP from the intranet, 3) and we need to limit some of the web apps to only the intranet VIP, and 4) we don't have a way to restrict access to the internal web apps except via web server proxy rules (strike two).

            The current gap is to figure out how to have folks login via either x.y.com or internal.x.y.com only once. The two ways I can think of are 1) to somehow figure out how to let CAS share the same cookie based TGT from both domains, or 2) have the CAS confugurations dynaically choose the routing to CAS based on their server name they called with. Kinda hard to explain.

            Just say: trying not to over engineer this so hopefully someone has a better/different idea than I...

            Comment

            Working...
            X