0

This is a follow up to my previous question : How to modify existing Spring MVC app to bypass spring security?

The situation is : There are 3 Java web apps running on 3 different Tomcat servers [ different versions ] from the same company, using the same user Id and password, the company wants to combine the 3 sign ons into one single sign on.

I wonder if the following solution might work : I modify the first web app so that when user press the login button from the sign on form, my servlet use that Id/password and calls the 2nd and 3rd web app forms' action and supply them with the user Id/password I got from the 1st form, so all 3 web apps will each have a user session, as if the user physically signed on to each of them, and I'll add the urls to the 2nd and 3rd apps into the web pages of the 1st app, so user can click and access them, is this possible, simulated sign on from my servlet in the 1st app to the other apps ?

Community
  • 1
  • 1
Frank
  • 30,590
  • 58
  • 161
  • 244
  • http://stackoverflow.com/questions/14950023/how-to-implement-sso-on-existing-tomcat-web-application – Stefan Jul 22 '14 at 08:38

2 Answers2

1

Yes, it is possible. Usually the process is

  1. Login to app1. Now you have username/password in your Servlet (Or Struts Forms, etc)

  2. In this Servlet (Or Struts Action, etc), call Login Service API provided by app2 with the username/password. This can be a HTML form, or Rest Service, Web Service, what ever you need. This can be done by a HTTP POST (Using Apache Commons HTTP client), or some Rest Client, Web Service Client, etc. If app2 validates the username/password successfully, it will returns a TOKEN (Usually a long String, very similar to Session ID).

  3. Now you have the TOKEN. Set the TOKEN as a paramenter in all of your requests to app2. So the app2 can do validation job.

This is a simple way to do what your need. But there are many disadvantages (Especially security flaws).

To be robust, I recommend you use a SSO (Single-SignOn) library, which is a better choice than do it yourself, I think.

LFF
  • 228
  • 1
  • 4
1

This is probably possible, but it's ugly. You need to recognize that it's not enough to start a new login session on the other two servers; you also have to let the browser know about those sessions somehow.

  • If all three apps are in the same domain, and login sessions are implemented using cookies, then the first app will need to capture the login cookies it receives from the other two and relay them back to the browser.
  • If login sessions are implemented using URL query parameters (e.g. jsessionid), the first app will need to parse the HTML responses it receives from the other two logins, extract the session ID parameter from a link in each one, and incorporate those session IDs into the links it sends back to the real user.
Wyzard
  • 33,849
  • 3
  • 67
  • 87