Applying single sing on for an existing webapplication

[vgreddy43]

We have an application which is using spring security for authentication and authorization. We are moving this process to another web application as part single sign on but we want to keep the existing infrastructre like intercept URL pattern and acces roles in the existing application. Below is the key part of existing application, If we move the authentication to another web application how the existing application constucts the Authetication object by reading roles from single sign on application? (Single sign on application will send username, roles through a cookie to existing application).

Code:

Contents of security-context.xml and authentication service
        <security:http entry-point-ref="AppEntryPoint">
		<security:intercept-url pattern="/home.htm" access="role1"/>	
		<security:intercept-url pattern="/**/images/**" filters="none" />
	</security:http>

	<security:authentication-manager alias="authenticationManager"/>
	 
	<bean id="customizedFormLoginFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" >
		<security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
		<property name="defaultTargetUrl" value="someurl.htm"/>
		<property name="authenticationFailureUrl" value="someurl.html" />
		<property name="authenticationManager" ref="myAuthenticationManager"/> 
		<property name="allowSessionCreation" value="true" /> 
	</bean>

	
	<bean id="myAuthenticationManager" class="com.test.AuthenticationService">
		 
	</bean>

	public class AuthenticationService implements UserDetailsService,AuthenticationManager  {
	   public Authentication authenticate(Authentication authentication) throws AuthenticationException{
                         //Some code here..
		return new UsernamePasswordAuthenticationToken(user, authentication.getCredentials(), grantedAuthorities);
	   }

	   public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException, DataAccessException {
	 	                         //Some code here..
                       return user;
                 }
        }

[Rob Winch]

If we move the authentication to another web application how the existing application constucts the Authetication object by reading roles from single sign on application? (Single sign on application will send username, roles through a cookie to existing application).

It sounds like you are wanting to perform SSO by having the Identity Provider (application that performs authentication) create a cookie with the username and roles that the other application can read to figure out who the user is. Is this correct? If I am understanding correctly, then the application is not properly secured. This is because anyone can set a cookie in their browser indicating they are any user with any role (i.e. look at FireCookie or Firefox's TamperData). I would be very cautious designing your own SSO solution as this is quite complex. Instead I would look into using an exisiting protocol (i.e. CAS, OpenID, SAML, OAuth, etc).

To answer your question you would typically do something like this (i.e. SiteMinder) using Spring Security's preauthentication scenarios. Note that SiteMinder ensures that no one can tamper with the request so it is in fact secure.

Regards,

[vgreddy43]

Thanks for your info. We are going to encrypt the cookie before sending from SSO application to actual web aplication, I hope this will solve security issues. The reason for going to our own SSO solution is, our authentication scheme is not straigt forward, we have a webservice this calls couple of databases as part of authentication. I am not sure whether we can fit this authentication scheme to existing protocols you mentioned.

[Rob Winch]

Please note that encryption (keeps something private) is not the same as signing (ensures it has not been tampered with). This means that encrypting the cookie is not necessarily securing your SSO process. Security is a complicated even for the experts. I find it unlikely that your needs cannot be met by using an existing SSO solution. For these reasons I would strongly recommend you look into a solution that already exists.

Back to the topic at hand...did I answer your Spring Security question?

PS: This is not meant to imply that you are not an expert. Nor is it meant to imply that I am a security expert. On the contrary, I find the more I learn about security the more novice I consider myself to be. My response is solely meant to be friendly advice.

Cheers,

[vgreddy43]

Thanks Rob. You are 100% correct! We will look into one existing solution before implementing our own. In either case, we have to modify our existing application which has spring security authentication.

The link that you have sent, it looks promising. But I did not get a chance to implement it. I will share the details once I implement it. Thanks again for your input!.