1

I have two web applications developed in Java using Spring Security. Each application has it's own WAR and therefore is deployed on it's own context:

localhost:8080/my-app1
localhost:8080/my-app2

Now when I try to make an AJAX call on my-app1 to a controller that is on my-app2, I get an error message saying that my session is expired. Which makes sense, after all the user is authenticated on my-app1 but not on my-app2.

Is there any workaround for that?

dur
  • 15,689
  • 25
  • 79
  • 125
R. Monte
  • 51
  • 4

2 Answers2

0

I have two solutions:

  1. The secure one: You could try to save an 'id session' in the database for both applications and pass this id in the call. On the second application you could validate that id and proceed with the call.
  2. The insecure one: You could configure Spring to not validate the user session at this call (url mapping) on my-app2.

And found this too: Any way to share session state between different applications in tomcat?

Community
  • 1
  • 1
Bruno
  • 2,889
  • 1
  • 18
  • 25
  • 1
    I don't think solution 1 would work since spring-security will block the request before it even reaches the point where I can check the id. Solution 2 is not viable. – R. Monte Mar 03 '17 at 22:18
0

I would suggest you to store a login token as a cookie entry on the browser side, the cookie should have the same domain for app1 and app2(in your case, it it just localhost). So it will be passed along to the back end for both apps.

The login token can have an encrypted username which can be decrypted by the server and a hash of the password, which is used for validation.

This is actually the idea behind the token based remember me service in Spring Security.

Simon
  • 629
  • 3
  • 8