Spring Security with Weblogic Roles

[hitmarkv]

Hi guys,

I working on a proof-of-concept for my company, and I'm stuck in the security level. Currently, our clients uses Weblogic 10.2 as container, and realm-based roles for app authentication.

I was tasked to create a Grails app that uses SSO to provide a seamless experience to the end user. The idea is that the user would log in in a JEE application, the same way it's today, and then, some actions in the app would be performed in the Grails app.

The auth schema is JEE standard, with roles in Weblogic for access. I've checked the spring-security-plugin for Grails, but i depends on the User-Role in DB method. How can I configure it to post the login info to the server and use the JEE mechanism?

Thanks and regards,
Francisco

[hitmarkv]

Update:

I got some progress on this. Now, if I enter an invalid login/password, I'm redirected to the denied page, as per the web.xml configuration. Which probably means that the server is trying to authenticate the username. However, if I enter a valid username/password, it seems the server is not sending the auth credentials back, because if I try to enter in a secured page, I'm redirected again to the login form.

I see that a cookie is written in the session for my app, but I'm not "logged in" per se. I'm starting to think there's some security filter misconfigured.

My web.xml security:

Code:

<login-config>
 	        <auth-method>FORM</auth-method>
 	        <realm-name>default</realm-name>
 	        <form-login-config>
 	            <form-login-page>/login/login.gsp</form-login-page>
 	            <form-error-page>/login/denied.gsp</form-error-page>
 	        </form-login-config>
 	</login-config> 

	<security-constraint>
 	        <display-name>test role</display-name>
  	        <web-resource-collection>
 	          <web-resource-name>userRole</web-resource-name>
	   		  <url-pattern>/SSOPoc/test/index</url-pattern>
	   		  <http-method>GET</http-method>
       		  <http-method>POST</http-method>
 	        </web-resource-collection> 	     
 	        
 	        <auth-constraint>
 	          <role-name>userRole</role-name>
 	        </auth-constraint>
 	</security-constraint>

	<security-role>
 	    <role-name>userRole</role-name>
 	</security-role>

And my login.gsp:

Code:

<form action='j_security_check' method='POST' id='loginForm' class='cssform' autocomplete='off'>
			<p>
				<label for='username'><g:message code="springSecurity.login.username.label"/>:</label>
				<input type='text' class='text_' name='j_username' id='username'/>
			</p>

			<p>
				<label for='password'><g:message code="springSecurity.login.password.label"/>:</label>
				<input type='password' class='text_' name='j_password' id='password'/>
			</p>

			<p id="remember_me_holder">
				<input type='checkbox' class='chk' name='${rememberMeParameter}' id='remember_me' <g:if test='${hasCookie}'>checked='checked'</g:if>/>
				<label for='remember_me'><g:message code="springSecurity.login.remember.me.label"/></label>
			</p>

			<p>
				<input type='submit' id="submit" value='${message(code: "springSecurity.login.button")}'/>
			</p>
		</form>

I have found this info (http://static.springsource.org/sprin...ce/form.html); however, the grails spring-security-core plugin does not contain the AuthenticationProcessingFilter class.