3

I have seen lot of examples where, there is a custom Login page with Angular JS, and then we make a rest POST call with the username/pwd, and then Spring authenticates based on whatever Auth Service we provide. Then we receive a success, grab the user object from Spring Security and then create a Session cookie in Angular. https://github.com/witoldsz/angular-http-auth/blob/master/src/http-auth-interceptor.js

I also have seen, integrating Siteminder with Spring Security where we install a policy agent on the web server, and then grab request headers with Spring Security, and then pull the roles and build a user profile object.

I'm looking for a solution where I can combine both the above. This is the scenario :

When the user requests for index.html (Angular), the policy agent on the web server intercepts, authenticates with a Siteminder login page and then passes the headers to the app server. The Spring Security on app server will read the headers and pull the roles from our app database and then build a userprofile object. Now here, I want to continue the flow and display angular page, but Im trying to figure out, how do I send the user profile object to angular, because angular is not making a POST call at this point. Also, how do I get the http-auth-interceptor in play, because I need to keep checking if the user is still authenticated on the change of every view/state in Angular.

Help appreciated ! Thanks !

PavanSandeep
  • 214
  • 4
  • 17

2 Answers2

3

You may implement a tiny JSON REST service "/your-app/profile" which is protected by SiteMinder, reads and evaluates the headers and returns the result as a JSON object.

Your Angular App (e.g. /your-app/index.html) should better also be protected by SiteMinder so you receive an immediate redirect to the SSO Login when accessing it without session. In addition, it must read the JSON REST resource "/your-app/profile" when loaded. It must also expect that SMSESSION is missing when reading "/your-app/profile" and react accordingly - perform a reload of the protected index.html page to trigger a SM SSO re-login (if "/your-app/index.html" is protected, otherwise you must trigger login by a redirect to some protected resource).

If you want to constantly check to see if SiteMinder session is still present, you may either access the "/your-app/profile" or check for the presence of the SMSESSION cookie (only in case it is not set as HTTP-only).

One SECURITY NOTE: If you rely on the seamless SSO which is provided via SMSESSION cookie, be aware of the possible CSRF (Cross-Site Request Forgery) attacks!

Vilmantas Baranauskas
  • 6,596
  • 3
  • 38
  • 50
  • But I will be creating Spring session too right ? Ill have SMSESSION and JSESSION? – PavanSandeep Dec 23 '15 at 19:35
  • You can create HttpSession (JSESSION) if necessary, but it is not mandatory and not automatically bound to SMSESSION. If creating HttpSession you should check on each request if SMSESSION has not changed - otherwise you may have a serious vulnerability. Keep in mind that relying on sessions in the REST services is a sign of bad architecture. – Vilmantas Baranauskas Dec 25 '15 at 20:12
  • @VilmantasBaranauskas I have a similar situation like you, we use SiteMinder, angular and cordova to call Rest API behind SiteMinder. But we faced login UI return. My question is how to implement this to call the API? – JimiOr2 Jun 03 '16 at 05:29
  • @VilmantasBaranauskas - I'm using SSO (Siteminder) for an AngularJS + Spring Boot + Spring Security application. My issue that I get SMSESSION=LOGGEDOFF after some time. How do I trigger a SM SSO re-login? Thanks. – Amit G. Jun 27 '18 at 23:55
  • @AmitG., as already mentioned in the answer, page reload would be the right option if your AngularJS is protected by SiteMinder: https://stackoverflow.com/questions/3715047/how-to-reload-a-page-using-javascript – Vilmantas Baranauskas Jul 01 '18 at 08:55
0

Apparently both roles and the username will be available in spring if the integration is done as this describes

Integrating Spring Security with SiteMinder

Yuri Gridin
  • 469
  • 5
  • 6