Authorize on two or more web applications simultaneously

[Lsync]

Hi,

can you please give me a hint, how to authorize user on few web applications at the same time?

I have:

- EAR
- - WAR 1 (example.com/)
- - WAR 2 (example.com/shop/)
- - ...
- - WAR n (example.com/forum/)

Every WAR is a Spring (+Security) based application. User is authenticated and authorized on WAR 1. When he swithes to any other WAR, he have to pass authentication again. How to bypass it?

Thanks.

- Lsync

[Marten Deinum]

Use a SSO solution (Single Sign On) ... You pass a SSO token around which is checked with the server.

[Lsync]

Hi Marten,

thanks for reply. Do you know any non-server specific SSO solution(-s)? I will be grateful for the links.

[Marten Deinum]

I suggest google and I don't quite understand your non-server specific part... The whole point of SSO is to be server agnostic else it beats the purpose of SSO (SSO is broader then web applications!).

[Lsync]

Sorry for my bad language. I mean "no 'server-specific'", because the only reasonable SSO solution that I can find - is to use SSO Valve for Tomcat/JBoss. So it will be great to find more versatile way. Can you help with this?

Also I found that "remember-me" cookie can help, but this hack brokes standard "remember me" functionality. Too bad.

Or maybe I can programmatically log-in user in all my Spring Security guarded applications, when he authorizes in one of them?

[jamescox]

I think you want a "server-specific" solution as all of your web apps are deployed on the same app server, let alone the same ear. Do not confuse "server-specific" with vendor lock in. The SSO Valve for Tomcat, the LTPA cookie for Websphere, etc.. all work the same way. The container will populate the request.getUserPrincipal for you. You can use Spring's J2eePreAuthenticatedProcessingFilter to leverage this.

If you want true SSO across different domains, you would have to use CAS or SAML or some other proprietary vendor (i.e. Siteminder). This is way more difficult.

Good luck.

[Lsync]

Guys,

according to this:
http://static.springsource.org/sprin...rence/cas.html
and this:
https://wiki.jasig.org/display/CASC/...pring+Security

I must give access to user's credentials (including passwords!) both to CAS and (every) web application. CAS needs them for authentication, and applications - for authorization and assigning a role. Am I right?

[Rob Winch]

The documentation may be a bit misleading unless you read the details. The passwords are not used when authenticating with CAS, but Spring Security does require a way to determine which roles the user has. This can be done using the UserDetailsService (which also provides passwords but they can be null values since they are not used) or it can be done using the GrantedAuthorityFromAssertionAttributesUserDetails Service set on the CasAuthenticationProvider instead. In this instance you must be sure to setup the CAS server to return the roles in the CAS response.

[Lsync]

Done this part, thank you guys for help. I've tried CAS, OAuth for Spring Security and Remember-me cookie alone as SSO solutions. All works perfect, but has its own pros and cons.

Next step I want to implement - to have all the best of two worlds: CAS and remember-me. First I'll explain why:
- I want to use CAS as an enterprise solution;
- each application is developing by its own team, so they are independent from each other (have their own sessions);
- I want to emmediately authorize user in all applications, when he/she is authenticated with CAS.

So I plan to use this simple scheme:
1. Each application is configured to have both CAS and remember-me as authentication providers.
2. When user is authenticated by any application, this application sets remember-me cookie, that visible to all (path="/" and domain=".exmple.com").
3. When any other application see this cookie, it automatically authorises the user (full workflow drawing).

It's the simplest way I see to make SSO on both protected and unprotected pages (I need SSO on unprotected pages to render user name on them).

The question is: will that scheme work properly, or I have to research another one?

[arthomps]

Look at CAS's single signon/off functionality. Your rememberme approach won't work because none of your applications will have access to the other's cookies.

Also - note that having authentication to non protected pages is a security issue.