Spring Security on Tomcat Valve level

[haggis]

Hello,

If one would like to implement Spring Security based authorization on Tomcat Valve level, would there be any obvious problems with that approach? More detailedly, having a Tomcat Valve delegate the Catalina request to the same Spring Security authentication filter chain that usually DelegatingFilterProxy does the delegation to, when SS is applied normally at a web application level. The problems I'm thinking are something along the lines of session management and original request wrapping (there are others too) as Valve environment is not exactly the Servlet container environment. The authentication type is SAML-based SSO (SS SAML2 extension) but I don't know if that makes any difference.

Not sure if any of this makes sense but I guess the point is to have authentication at a lower than web application level, it shouldn't be possible to go past it by deploying a new web app to a different context root etc. Something like JOSSO's SSO Agent Valve (CatalinaSSOValve).

Cheeers

[thobson]

Hi Haggis

We've recently implemented exactly that, i.e. a Spring/SAML2 powered Tomcat valve that delegates authentication to an IDP. No major issues other than the need to pull in close to 20mb of transitive dependencies which also have to be deployed. The valve is still in beta testing and it's not as feature rich as a "standard" Spring Security implementation. We'll check the source into Github sometime next week and I'll give you a shout so you can take a look

Cheers

Toby

[thobson]

Hi Haggis

A Quick follow up for you ... we've now uploaded our tomcat valve to github, you can find the source here. We've also put together a sample webapp which shows how to use the valve (basically the context.xml config). Finally we have some docs available on our support site: support.cloudseal.com

The valve has been designed to work with our IDP but as it's fundamentally Spring Security/SAML you should be able to adopt the source to work with any SAML2 IDP.

Cheers