1

I'm using spring security 3.1.4 and I have the following question: I have 2 web apps one is an "admin" and the other for "users". The admin calls the other using controllers. I would like that this communication will use spring security, we thought of the option to create a special "login" controller in the user app for the admin and create a special "admin user" with all the authentication information (login name, password , role..) and every time I want to communicate from the admin app I would use this controller. Is this a valid and common solution?

lior
  • 1,127
  • 3
  • 24
  • 43
  • From a security standpoint that sounds risky to me to have a universal hard-coded ID that provides god-like access. I would rather try to setup some sort of session sharing, if possible. This may help: http://stackoverflow.com/questions/14121810/sharing-security-context-between-few-web-applications – CodeChimp Apr 22 '14 at 10:52
  • Is it possible to create my own preAuthenticationToken for the admin app and use this? – lior Apr 22 '14 at 10:58
  • 1
    What you seem to be proposing is to roll your own SSO. Sure, you could do that. But, keep in mind, any bit of custom code you write will potentially open you up to security issues. In general, anything you do outside the norm opens you up to security issues because you are straying away from the best-practices. If you do roll your own SSO solution, be VERY careful in how you build your pre-auth tokens. You don't want it to be easy for a hacker to guess. – CodeChimp Apr 22 '14 at 11:02
  • Ok i understand, is there a more conventional way? keep in mind that the admin app doesn't have a user loged in that I can pass to the other app like sso – lior Apr 22 '14 at 11:10
  • The more "conventional" way would be to use SSO, in my opinion. But you said you don't want to use any SSO, although you seem to be content in rolling your own. Since Spring Security uses the session, session sharing seems like it might be a good option, but you might be limited by factors like how the apps are deployed, and it might open you up to security flaws. – CodeChimp Apr 22 '14 at 12:46

0 Answers0