We have an existing legacy web application(Servlet+jsp+spring+hibernate) and we are going to develop some new features of the application using a new stack (angularjs+Spring mvc). Currently suggested approach is to register a new servlet and develop the new features in the same codebase, so the authenticated users will have access to the new functionality we develop in the system. Is there a better way of doing this as a two different web applications (without SSO) ? Can two web applications be secured under the same form based authentication settings ?
Asked
Active
Viewed 728 times
0
-
Read http://stackoverflow.com/questions/9436736/sharing-session-data-between-contexts-in-tomcat – sura2k Jun 11 '16 at 05:48
-
Both apps use same login or 2? – sura2k Jun 11 '16 at 05:54
2 Answers
0
From the point of Spring security and angularjs, authenticating via form is just an http POST with content type being application/x-www-form-urlencoded. One difference is the response to a non authenticated request, for one response should be a http redirect (jsp, to a login page), one with an unauthorized code (for angularjs). That could be handled with a custom AuthenticationFailureHandler or on the client side. A similar difference may occur for the successful login redirection.
uylmz
- 1,480
- 2
- 23
- 44
-
So my question is can I host my REST backend as a new application in the same server (".../mySecureApp and .../mySecureRestBackend ) under the same spring security settings ? – Upul Doluweera Jun 10 '16 at 22:14
-
-
separately , two deployments as oldApp and newRestBackend. It is like two different applications under the same form based authentication. – Upul Doluweera Jun 10 '16 at 22:27
-
then 2 will have different context paths, so the spring security url definitions will be the same. I think it should work and you can test it to be sure by creating a simple empty servlet without hooking it to your api and performing some http requests – uylmz Jun 10 '16 at 22:39
0
I think architecture and security usability is very important before dive into something.
If both apps use same login, then I assume the newer application is more likely a service oriented application. Ex: RESTful
Authorization may be an issue. Ex: Legacy app is used by user set A, new one is used by both user set A and B.
Otherwise you can use a shared database for example MongoDB to store your login info i.e token. When you log in, return that token and use for the other service via angular client. When you log out remove any token for that user session. You may also need to concern about token expiration.
However you have to refactor your legacy system in someway to use a token. If it is not possible, you can use session sharing which is handled by the the container if the the both apps are running under same container. Ex: Tomcat. But now it may very hard to integrate with a native mobile app if you are hoping to do so.
