Authorize on two or more web applications simultaneously

[Lsync]

Look at CAS's single signon/off functionality

arthomps, I'd love to! But I haven't found any CAS solution that lets me do the simplest thing: render the user name (or login invitation) on every site page.

It's because of:
- applications have their own sessions;
- when user logs in to any of them, others don't even know about that! That's what the remember-me cookie for.

Here is a little conversation about that (sorry for external link), maybe you can say some words, that explain the situation?

[Marten Deinum]

Each application must consult the CAS server (as explained in the thread) as soon as a user is authenticated and you enter a new application CAS is consulted, Spring Security (for that app) creates the SecurityContext and you can do whatever you want. What you do with the remember-me cookie is basically the thing that you must let CAS do...

The latter should be configured in Spring and should be transparent (so basically every request already goes to CAS when you have configured things correctly)...

[Lsync]

basically every request already goes to CAS

Wow... Is it really true? Our clients often have high load applications, so make a request to CAS per every page is too expensive. Is it really better solution, than use remember-me and have only one CAS request to authenticate user on the whole site?

What you do with the remember-me cookie is basically the thing that you must let CAS do...

Truly agree with that. Unfortunately, CAS only has a Single Sign Out callback. We really need the same to Sign In...

[Marten Deinum]

Wow... Is it really true?

Well actually no ... If you hit a page that requires authentication then you hit the CAS server, now if enter a page that requires authentication it will go to CAS and (if I recall correctly) due to the fact you are already authenticated get the id etc. back. Spring Security will use this to load the user. (So actually only 1 request per application goes to CAS)..

CAS will give you a Ticket (Ticket Granting Ticket) which can be used by other applications to verify if the user is valid/loggedin, this gives you the SSO behavior you want...

So as mentioned before what you are trying to do with the remember-me hack is already how things should work with CAS.

Truely agree with that. Unfortunately, CAS only has a Single Sign Out callback. We really need the same to Sign In...

No you don't... You don't want to automatically be logged in to all applications you have access to (this isn't how SSO works in general). SSO works in that you authenticate once, get a ticket/token/whatever, which can be supplied to other applications (instead of the username/password) the other application consult a global service (in this case CAS in others the Windows Domain Controller or something like that) if the ticket is valid.

So SSO doesn't mean, I login once and now are logged in to all my applications at once.. It means I provide my credentials once and automatically authenticate to other applications when I open them.

[Lsync]

CAS will give you a Ticket (Ticket Granting Ticket) which can be used by other applications

Hmm.. I think I'm beginning to understand. If app1 takes the ticket and (by some magic way) shares it with others on the same server, any application now can request user's credentials from CAS. Great!

But what is this magic sharing way? Does Spring Security support it? Or I can place tickets to shared DB or JNDI, for example... I hope this won't break any CAS flow.

I have to think about it. Maybe it'll be even simpler and definitely better solution, than remember-me hacking. Thanks a lot!

You don't want to automatically be logged in to all applications you have access to

That's right. I meant a group of applications on the same domain (and only), where I really want it.

[Marten Deinum]

No you are still missing the point... You authenticate in app1 and CAS issues a ticket you don't get it from JNDI or Databse you get it AFTER you have authenticated from CAS... (I suggest a read of the CAS guide and what you can do). Also I suggest the book Spring Security 3 (an upgrade is pending) which explains CAS nicely.

And yes spring security (when configured correctly) should support this.

[Lsync]

Marten, I understand that I'm bothering you by (maybe stupid) questions, but.

All the literature you'd mentioned relies on two assumptions:
1. I can only authenticate user at ONE application at time.
2. Application has some magic point named "Secured page", that triggers authorization process.

Neither are true in my case. That's the reason, why I am looking for suitable solution and asking those questions.

I have no secured pages (or, by another words, all my pages are secured at the same level - anyone_can_read), and I want to know, "who is here" on every page. So I see only two solutions:
- to trigger authentication process on every page (very expensive with CAS);
- to share by some way credentials (or tickets, or SSO_COOKIE etc) among my applications at the authentication time.

I am looking for latter.

[Marten Deinum]

The problem is you don't understand spring security...

The authentication process is only triggered once for each application, upon entering the application. If you aren't authenticated the first application you enter will show the CAS loging page, CAS authenticates and authorizes the user and it gives the user a Ticket. After the authentication spring security creates a SecurityContext and stores this in the session, the ticket is stored in a (at least should) be stored in a server-wide cookie.

Now when you enter the second application, the ticket is send to CAS which verifies it and when that succeeds again a SecurityContext is created and stored in the session.

So as I mentioned before your logic is flawed, spring is taking care of the authorization CAS is only for authentication NOT authorization!.

[Lsync]

The authentication process is only triggered once for each application, upon entering the application. If you aren't authenticated the first application you enter will show the CAS loging page

It's not a valid use case for me. Imagine a forum as first application, for example. Anyone can read it, doesn't matter, is [s]he registered at all. There is no "Secure resources" on this hypothetical forum. When should I trigger a CAS authentication process?

the ticket is stored in a (at least should) be stored in a server-wide cookie.

Do you mean "CAS server-wide" or "applications server-wide"? On some examples, as I can see, there are no server-wide cookies at all. Just application-scoped.

[Marten Deinum]

If you don't have a page which requires authorization it is also pretty useless to display a username if someone isn't logged in imho.. That isn't a problem related to CAS but more on how you structured your application...

Regarding CAS I give up, I suggest google and the official documentation...