21

I have a tomcat 7 setup with oldApp.war and newApp.war deployed on it. Both the applications share the same login credentials for users on the database.

I can access the apps using https://localhost/oldApp and https:localhost/newApp respectively.

My oldApp is a Spring MVC java application and when the user is logged into the oldApp I want to have a link which will take the user into the newApp without asking for the login credentials.

I want to know how to implement SSO to do this. I preferably don't want to run any external service to handle this.

Thanks in advance.

Amila
  • 5,195
  • 1
  • 27
  • 46
Qstacker
  • 255
  • 1
  • 2
  • 9

4 Answers4

12

Update: Its 2018 and the below info is out of date. If you’re starting a new application then use a federated identity protocol like Open ID Connect and you’ll get SSO for free.

There are a few approaches you could take:

  1. You could use Tomcat for authentication and use Tomcat's single sign on capabilities. If you're currently using Spring to authenticate the user you may need to change some things. Also, depending on how you're doing authentication, Tomcat's authentication may not be configurable enough.
  2. You could setup a third, CAS, servlet (or something similar), which both web applications authenticate against.
  3. You could set this up yourself using Spring and pre-authenticated filters. You would basically have to write your own pre-authenticated filter which checked some location that both servlets had access to (database?, shared context?) for existing credentials before falling back to old authentication methods. You'll want to make sure to clear this authentication in a filter somewhere so the next request doesn't get to automatically inherit the previous requests credentials.
Pace
  • 41,875
  • 13
  • 113
  • 156
  • The CAS url is outdated. Here is the current URI: https://www.apereo.org/projects/cas – edjm Dec 10 '15 at 14:27
9

You can implement SSO in many different ways:

  1. Oauth 2 - http://oauth.net/2/
  2. SAML 2 - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

SAML 2.0 has many implementations for Identity/Service provider roles.

For an IDP implementations list I can point you to this stackoverflow post: https://stackoverflow.com/a/761774/126414

If you are planning to implement a service provider there is a nice spring extension: http://static.springsource.org/spring-security/site/extensions/saml/index.html

Community
  • 1
  • 1
svlada
  • 3,218
  • 2
  • 25
  • 36
  • can you provide some resource without spring – Jafar Ali Mar 24 '15 at 09:32
  • @JafarAli Could you please provide more details in your question? What is your use case? Do you have existing IDP (which one are you using?) and working on SP to integrate with it? – svlada Mar 24 '15 at 10:04
  • WE have Oracle access manager with SAML 2.0 support as IDP and My app will assume the role of Service provider. My app is not using Spring. – Jafar Ali Mar 24 '15 at 12:42
  • Hay svlada. Can you direct me somewhere. – Jafar Ali Apr 10 '15 at 04:43
4

I have managed this with the Tomcat's SSO Valve:

  1. Put SSO Valve within Host (localhost) element of server.xml file:

    <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true"> <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> </Host>

  2. Add users and roles (eg. in tomcat_users.xml):

    <user username="user1" password="user1" roles="employee"/>

  3. In web-app element of your app's web.xml file, add security constraints:

    <security-constraint> <web-resource-collection> <web-resource-name>App name</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>employee</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>file</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>employee</role-name> </security-role>

  4. That's it. Now, log in to the one of your apps, and you should be logged in to other apps.

Of course, you should not use a plain text password in the production, this is just a quick example. You shoud consider Digest authentication, as well as configuring SSL on Tomcat.

I hope this will help someone!

P.S. if you store users in the SQL database, please check my comment below this answer.

akelec
  • 3,797
  • 3
  • 41
  • 39
  • 2
    I am glad that I helped you :). – akelec May 14 '18 at 11:27
  • hey, one more question. how to logout properly with above sso login? I was using session.invalidate() earlier but it does not work with sso and I am still logged in. – manojadams May 15 '18 at 20:50
  • But how i can add dynamically users and roles in server.xml – Mandrek Jan 02 '19 at 07:55
  • Unfortunately, that is not possible. However, you can store user credentials and roles in a (SQL) database, so the Tomcat could be able to read it. This could be done by setting a JDBCRealm realm in the server.xml. More info: https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JDBCRealm – akelec Jan 02 '19 at 11:09
3

You can deploy the CAS server (which is nothing but a war) in tomcat and configure your web app's filter accordingly. You can take help from this link.

Stefan Ferstl
  • 5,135
  • 3
  • 33
  • 41
somaniA
  • 614
  • 2
  • 7
  • 30