0

i'm designing a security module for a web application using spring security . There are 3 separate wars(3 Apps)using separate login, deployed in a JBOSS Server. The requirement is , If the user is authenticated in one app then he should be able to access other applications without login . Is it possible to share the security context between the web application( different wars not in a single EAR ). We discussed about the SSO , but we are trying to achieve this with spring security and with support of the App server . Is there any way ? Please provide your valuable suggestions and inputs. If you need more information, please let me know.

Sampathkumar
  • 28
  • 7

2 Answers2

0

I've done this recently with SSO and Spring Security however I wrote our own security filter to be used which grabs the HttpServletRequest.getRemoteUser() value provided by the SPNEGO filter. One thing with SSO: most mechanisms use Kerberos which only really works in local desktop environments. It is possible to write a fallback mechanism which will redirect the user to a login page but then you still have your issue at hand.

Another option would be to repackage your applications as an EAR (see here).

Community
  • 1
  • 1
David Levy
  • 587
  • 1
  • 6
  • 9
  • Sigh, Thanks for your info. we dont want to install a specific SSO(siteminder or CAS) and we are trying for other options( container level security ) like Spring Security with Apache Tomcat SSO Valve or JBOSS SSO. As per the requirement, web applications should be deployed as separate war file in the same server. planning to use use case 2 and 3. http://java.dzone.com/articles/choosing-sso-your-jboss. our aim is to share spring security context between the applications in the same server. – Sampathkumar Apr 28 '14 at 08:32
0

The easiest way is to employ usual Spring Security authentication (e.g. form-based with username/password) and enable the remember-me feature.

As long as all three applications are deployed on the same domain (and can therefore share their cookies), the remember-me feature will work seamlessly for all of them, i.e. once user authenticates at any of the applications she will be able to access the others without need for re-authentication.

This of course doesn't address issues like single logout, but that doesn't seem to be your aim anyway.

You can set this up in a short time and don't need and third party SSO components. Although relaying on standard SSO protocols and dedicated technologies tends to be a more secure option.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • Thanks VSChafer. will try to implement the remember-me option . This is for a POC. i got your point on the standard SSO protocols. In production,we will go for SSO. – Sampathkumar Apr 28 '14 at 10:09