Authorize on two or more web applications simultaneously

[Lsync]

Hi,

can you please give me a hint, how to authorize user on few web applications at the same time?

I have:

- EAR
- - WAR 1 (example.com/)
- - WAR 2 (example.com/shop/)
- - ...
- - WAR n (example.com/forum/)

Every WAR is a Spring (+Security) based application. User is authenticated and authorized on WAR 1. When he swithes to any other WAR, he have to pass authentication again. How to bypass it?

Thanks.

- Lsync

[Marten Deinum]

Use a SSO solution (Single Sign On) ... You pass a SSO token around which is checked with the server.

[Lsync]

Hi Marten,

thanks for reply. Do you know any non-server specific SSO solution(-s)? I will be grateful for the links.

[Marten Deinum]

I suggest google and I don't quite understand your non-server specific part... The whole point of SSO is to be server agnostic else it beats the purpose of SSO (SSO is broader then web applications!).

[Lsync]

Sorry for my bad language. I mean "no 'server-specific'", because the only reasonable SSO solution that I can find - is to use SSO Valve for Tomcat/JBoss. So it will be great to find more versatile way. Can you help with this?

Also I found that "remember-me" cookie can help, but this hack brokes standard "remember me" functionality. Too bad.

Or maybe I can programmatically log-in user in all my Spring Security guarded applications, when he authorizes in one of them?

[jamescox]

I think you want a "server-specific" solution as all of your web apps are deployed on the same app server, let alone the same ear. Do not confuse "server-specific" with vendor lock in. The SSO Valve for Tomcat, the LTPA cookie for Websphere, etc.. all work the same way. The container will populate the request.getUserPrincipal for you. You can use Spring's J2eePreAuthenticatedProcessingFilter to leverage this.

If you want true SSO across different domains, you would have to use CAS or SAML or some other proprietary vendor (i.e. Siteminder). This is way more difficult.

Good luck.