0

I would like to verify that the following authentication problem can be solved using Spring Security - Pre authentication scenario:

Problem:

  1. A user logs in via a legacy system
  2. Calls pages to a web system (created in spring mvc)
  3. When calling the pages to the web system it (the legacy system) passes a token, username and user_role
  4. The web system then uses web services provided by the legacy system to verify the username and the token.
  5. If valid a session is created on the web system and user is able to use the web page else the user is directed to an error page

Can I make use of the pre-authentication scenario that spring security offers? OR is it easier to just create a Spring AOP aspect that will verify the validity of the token and the user?

The spring security documentation is not very good in explaining the correct use of pre-authentication scenario. Please guide me to take the best possible route. If more information is required let me know.

Good examples or links welcome.

Khush
  • 853
  • 2
  • 8
  • 21
  • Not sure which documentation you are referring to. See: http://static.springsource.org/spring-security/site/docs/3.2.x/reference/preauth.html. There are only 3 pre-auth cases (X.509, Siteminder and authentication by the J2EE container) where out of the box functionality can be used. In your case, you have to write (1) your filter implementation (to grab token and username and build an auth-token) and (2) an authentication provider (to authenticate and grant permissions). – Ritesh Apr 15 '13 at 22:13
  • @Ritesh are you in a position to provide an example? – Khush Apr 16 '13 at 00:56
  • See this question http://stackoverflow.com/questions/4783063/configuring-spring-security-3-x-to-have-multiple-entry-points to write your own auth-token and the authentication provider. – Ritesh Apr 16 '13 at 01:07

2 Answers2

1

is the legacy system and web system 2 different applications?

Basically what I reckon you want to create logon session from a user in a legacy system in another web application. Kind of an auto-logon to the 2nd system. Spring Security can help you here but you have to use it's support for OAuth 1.0 or 2.0. http://static.springsource.org/spring-security/oauth/

https://github.com/SpringSource/spring-security-oauth/wiki/oauth1

I used OAuth1.0 for similar scenario quite sometime back. On top of my head I think OAUth has predefined steps 1) A consumer asks for a Auth token 2) Server provides a request token 3) COnsumer asks token to be authorised 4) Next it passes the Auth token and asks for a Access token 5) Once it gets it it can make the request to the destined url on the server and access is granted.

It is more complex than what I have written but good thing about spring oauth support is spring takes care of the token bits and you have to do minimal coding. Hope this answers your question.

Soumya
  • 1,054
  • 2
  • 16
  • 31
  • Yes @Soumya, the legacy system and the web system are 2 different applications. Are you able to provide an example? – Khush Apr 15 '13 at 14:06
  • http://stackoverflow.com/questions/14522634/spring-security-oauth-2-simple-example http://www.javacodegeeks.com/2012/02/oauth-with-spring-security.html there are more. I don't have the ready code I used for my implementation at the moment. But if you dig around OAuth spring support you will land up on a few – Soumya Apr 15 '13 at 14:21
  • We are looking for a single sign on approach. We would ideally only like to login once via the legacy system. – Khush Apr 16 '13 at 00:57
  • 1
    OAUth is best for such scenarios. If you are deployign both apps in the same application server you can use Authentication provided by the App server itself andf configure single sign on with app server support. However if theya re deployed in different servers which seems teh case - using OAuth is a secure option where you maintain/crate 2 user sessions. It is Token based and safe - as you don't pass actual username/password combo(at least OAuth 1 was). Hope that helps – Soumya Apr 16 '13 at 09:47
  • 1
    btw if you find an answer useful or correctly answers your question you may want to accept it. cheers – Soumya Apr 17 '13 at 08:19
0

After a user logged in with legacy system you may generate auth token on server side which will be stored in DB and on user side in cookies or localStorage. Then pass this token with each request and check it in pre auth filter like one I described in my answer here: https://stackoverflow.com/a/37204764/1562234

Community
  • 1
  • 1
Igorock
  • 2,691
  • 6
  • 28
  • 39