How can I integrate Java Spring Security with BMC Remedy ARS Mid-Tier web app (SSL)
I am running Windows 2008 R2, IIS 7.5, and Tomcat 5.5. Tomcat has SSL enabled and is connected to IIS via the AJP Connector, version 1.3. I am running a web application called BMC Remedy ARS Mid-Tier, with has its own login authentication. BMC Remedy ARS Mid-Tier is a closed-source system and I have no freedom to modify it; it's essentially a blackbox with an input and output.
I have to satisfy an IT PCI compliance rule, that Mid-Tier's login authentication scheme runs in SSL. The task that was given to me -- meaning, I'm just the messenger; so, please don't ask me why not run the whole site in SSL, thank you) -- is the login authentication should use HTTPS and everything else on the site uses HTTP.
Mid-Tier uses a servlet called "LoginServlet" to authenticate the user to its application. Upon authentication, it directs the user back to a page that I called homepage.jsp. I setup a servlet filter to redirect from HTTPS to HTTP for homepage.jsp. However, the session information created by Mid-Tier's authentication scheme gets lost.
I have seen other web applications that use an SSO implementation, which permits what I've been assigned--login(HTTP)->authenticate(HTTPS)->homepage(HTTP). The problem is this Mid-Tier web application is a black box and has its own login authentication scheme. I called the vendor up and they said this problem is out of their scope.
Would Java Spring Security or, perhaps, an SSO implementation allow me to only use HTTPS for the Mid-Tier authentication, while carrying its session data over to HTTP? Is it
possible to wrap Spring Security around this Mid-Tier login authentication scheme?
The link, http://stackoverflow.com/questions/1...eb-application, might provide some help, but I'm not sure how to integrate it my particular web application. Is there a way I can permit Mid-Tier to authenticate over SSL and remember its session data using Java Spring Security?
I did read something at this link, http://static.springsource.org/sprin...authentication, that vaguely states I can use a proprietary authentication system, which fits my request. Does anyone have any tutorials or guides on how to use an external authentication system with Spring Security?
Thank you very much, in advance, for any help.