How can I integrate Java Spring Security with BMC Remedy ARS Mid-Tier web app (SSL)

Printable View

Sep 10th, 2012, 02:40 PM
SpringSecurityJ

How can I integrate Java Spring Security with BMC Remedy ARS Mid-Tier web app (SSL)

I am running Windows 2008 R2, IIS 7.5, and Tomcat 5.5. Tomcat has SSL enabled and is connected to IIS via the AJP Connector, version 1.3. I am running a web application called BMC Remedy ARS Mid-Tier, with has its own login authentication. BMC Remedy ARS Mid-Tier is a closed-source system and I have no freedom to modify it; it's essentially a blackbox with an input and output.

I have to satisfy an IT PCI compliance rule, that Mid-Tier's login authentication scheme runs in SSL. The task that was given to me -- meaning, I'm just the messenger; so, please don't ask me why not run the whole site in SSL, thank you) -- is the login authentication should use HTTPS and everything else on the site uses HTTP.

Mid-Tier uses a servlet called "LoginServlet" to authenticate the user to its application. Upon authentication, it directs the user back to a page that I called homepage.jsp. I setup a servlet filter to redirect from HTTPS to HTTP for homepage.jsp. However, the session information created by Mid-Tier's authentication scheme gets lost.

I have seen other web applications that use an SSO implementation, which permits what I've been assigned--login(HTTP)->authenticate(HTTPS)->homepage(HTTP). The problem is this Mid-Tier web application is a black box and has its own login authentication scheme. I called the vendor up and they said this problem is out of their scope.

Would Java Spring Security or, perhaps, an SSO implementation allow me to only use HTTPS for the Mid-Tier authentication, while carrying its session data over to HTTP? Is it
possible to wrap Spring Security around this Mid-Tier login authentication scheme?

The link, http://stackoverflow.com/questions/1...eb-application, might provide some help, but I'm not sure how to integrate it my particular web application. Is there a way I can permit Mid-Tier to authenticate over SSL and remember its session data using Java Spring Security?

I did read something at this link, http://static.springsource.org/sprin...authentication, that vaguely states I can use a proprietary authentication system, which fits my request. Does anyone have any tutorials or guides on how to use an external authentication system with Spring Security?

Thank you very much, in advance, for any help.
Sep 11th, 2012, 01:45 PM
arthomps

Quote:

Originally Posted by SpringSecurityJ

Mid-Tier uses a servlet called "LoginServlet" to authenticate the user to its application. Upon authentication, it directs the user back to a page that I called homepage.jsp. I setup a servlet filter to redirect from HTTPS to HTTP for homepage.jsp. However, the session information created by Mid-Tier's authentication scheme gets lost.

Ignoring the bmc remedy aspect - switching between https and http is likely failing for unrelated reasons. A non secure session can't access a secure session. http://static.springsource.org/sprin...-https-session
Sep 11th, 2012, 03:55 PM
SpringSecurityJ

Quote:

Originally Posted by arthomps

Ignoring the bmc remedy aspect - switching between https and http is likely failing for unrelated reasons. A non secure session can't access a secure session. http://static.springsource.org/sprin...-https-session

Well, I was able to log into the website, after switching from https to http. I understand a non secure session can't access a secure session. However, I have read elsewhere that I may be able to take advantage of remember-me authentication (http://static.springsource.org/sprin...member-me.html) to maintain the session data from https to http.

Now, regarding the web application, perhaps I should rephrase my question. I have read that Spring Security supports proprietary authentication systems. The web application uses its own authentication system -- a servlet called LoginServlet, located in the web.xml folder. How can I tell Spring Security to use the web application's authentication system? Is there a guide or tutorial that explains how to proceed with this step?

Thank you for your help.
Sep 11th, 2012, 06:10 PM
arthomps

Quote:

Originally Posted by SpringSecurityJ

Now, regarding the web application, perhaps I should rephrase my question. I have read that Spring Security supports proprietary authentication systems. The web application uses its own authentication system -- a servlet called LoginServlet, located in the web.xml folder. How can I tell Spring Security to use the web application's authentication system? Is there a guide or tutorial that explains how to proceed with this step?

Thank you for your help.

I'm not going to be helpful on the implementation details - but a high level you need to:
- Implement AuthenticationProvider and probably AuthenticationEntryPoint
- Wire it into your security context.