Working example of JaasApiIntegrationFilter

[velu1980]

Hi All,

I have two apps, App1 running in Glassfish and uses JAAS authentication and App2 runs in tomcat and uses spring security. I want to authenticate app1 from app2 when a request comes to App1, and place the authetication in a security container. I looked at the spring documentation and looks like this is possibe using JaasApiIntegrationFilter when used with JaasAuthenticationProvider. Am looking for some sample code for using JaasApiIntegrationFilter, any directions or info will be highly helpful.

Thanks,
Velu

[Rob Winch]

Did you have a look at the JAAS Sample application

[velu1980]

Did you have a look at the JAAS Sample application

Hi,

Thank you for the reply and sorry for me posting a late reply. Yes i did take a look at JAAS sample application, but it didn't help my cause. In the example i assume the class samples.jaas.UsernameEqualsPasswordLoginModule resides in the war, but my app contains 2 war files. the 1st war file App1 runs in glassfish and uses realm and the 2nd war App2 runs in tomcat. And if the app1 is authenticated the principle and subject should be imported to securitycontext in App2. I couldn't find the configuration for the bean class javax.security.auth.login.AppConfigurationEntry for DefaultJaasAuthenticationProvider. I guess am missing something. Any info will be highly appreciable.

Thanks,
Velu

[Rob Winch]

And if the app1 is authenticated the principle and subject should be imported to securitycontext in App2.

Spring Security uses the HttpSession by default for storing the user information. This means in order for this to happen you need to be able to share the same HttpSession between the two wars. If this is not possible with your container, you would need to utilize a single sign on mechanism (i.e. OpenID, CAS, SAML, etc).

I couldn't find the configuration for the bean class javax.security.auth.login.AppConfigurationEntry for DefaultJaasAuthenticationProvider.

You can find the configuration in samples/jaas/src/main/applicationContext-security.xml file.

[velu1980]

Thank you Rob for your reply. We have custom authentication mechanism in App2( running in tomcat) which has to be used. So we dont want to write another authentication mechanism. So i guess we cant use CAS. What is SAML?? How do i achieve this?? How can i delegate authentication to be done in App2 from App1 and place the authentication in JAAS?? Any info will be highly appreciated.

Thanks,
Velu

[Rob Winch]

Thank you Rob for your reply. We have custom authentication mechanism in App2( running in tomcat) which has to be used. So we dont want to write another authentication mechanism. So i guess we cant use CAS.

A single application can support multiple authentication mechanisms. In Spring Security this can be done by adding multiple AuthenticationProviders.

What is SAML??

http://en.wikipedia.org/wiki/Securit...arkup_Language

How do i achieve this??

In terms of using Spring security you could use the Spring Security SAML extension. Keep in mind it is not a a full release version yet. Also keep in mind the documentation is a rather rough (you can google around for a PDF of it). The project also has a sample application. To get the source see the Spring Security Extensions project page. An alternative would be to write a custom AuthenticationProvider that uses something like OpenSAML to login.

How can i delegate authentication to be done in App2 from App1 and place the authentication in JAAS??

I guess I am confused on what you are trying to achieve. Above you state you do not want to customize the behavior of App2's authentication, but here you state you want to change how it authenticates (in App2 from App1). Perhaps if you describe the user experience you would expect it might make things a bit more clear to me.

[velu1980]

Thank you Rob for your reply. Sorry for not explaining properly. This is what we want to achieve:

We have two apps, App1 runs in Glassfish and uses JAAS (using custom Realm), and App2 runs in tomcat and uses Springsecurity, App1 needs to access App2, currently the user has to login twice once in Glassfish and again tomcat, we are looking at the following 2 solutions:

Solution 1:
If the user log into App1 and tries to access App2, we want to use the subject and principal in App1 to be used in App2 by spring security.

Solution 2:
Delegate all the authentication from App1 to App2 and place the share the securitycontext between JAAS and springsecurity

I have one more question, in the example in samples/jaas/src/main/applicationContext-security.xml file, we use samples.jaas.UsernameEqualsPasswordLoginModule , does this class has to be present in the classpath??

Thanks,
Velu

[Rob Winch]

Solution 1:
If the user log into App1 and tries to access App2, we want to use the subject and principal in App1 to be used in App2 by spring security.

I do not know of a way of doing this.

Solution 2:
Delegate all the authentication from App1 to App2 and place the share the securitycontext between JAAS and springsecurity

You could do this, but you would want to use some sort of single sign on mechanism as I previously mentioned.

I have one more question, in the example in samples/jaas/src/main/applicationContext-security.xml file, we use samples.jaas.UsernameEqualsPasswordLoginModule , does this class has to be present in the classpath??

The LoginModule that you want to use for authenticating must be in your classpath. I assume you do not want anyone to be able to login using a username and a password that are equal, so this particular class will probably not be found in your actual war. It is intended to demo creating a custom login module and make it easy for users to use the sample war (i.e. it is easy to login w/ any user this way).

PS: I really think your best bet is to do a Single Sign On solution of some sort.

[velu1980]

Hi Rob,

Thank you very much for your reply.

Solution 1:
If the user log into App1 and tries to access App2, we want to use the subject and principal in App1 to be used in App2 by spring security.

"I do not know of a way of doing this"

Can't we achieve this using PreAuthenticatedProcessingFilter??

"You could do this, but you would want to use some sort of single sign on mechanism as I previously mentioned"
What sort of single-sign on do you suggest?? Do you want me to use SAML??

Thanks,
Velu

[Rob Winch]

Solution 1:
If the user log into App1 and tries to access App2, we want to use the subject and principal in App1 to be used in App2 by spring security.

"I do not know of a way of doing this"

Can't we achieve this using PreAuthenticatedProcessingFilter??

In order to use pre authentication you need to know that you are authenticated. Without a SSO solution of some sort there is no way to securely communicate that a user has already logged into another site and thus you cannot use pre authentication.

"You could do this, but you would want to use some sort of single sign on mechanism as I previously mentioned"
What sort of single-sign on do you suggest?? Do you want me to use SAML??

It is really up to you which one to choose and I would assume which one you choose really depends on your requirements. I will note that the SAML extension is not at a 1.0 release, so I personally would be hesitant to put it in a production setting.