Geek asks and answers

Web application and REST SSO services in tomcat and spring-security

I use two different web applications deployed in the same tomcat instance. One of the web applications and the other is REST services. When a user logs into a web application and calls the REST service, REST must authenticate when the user logs in using the web application. How can I implement SSO in tomcat> If someone has implemented it, please help mw.

Update: In my first web application, I implemented the Spring Security mechanism and J2EEPreAuthentication. This application calls the second application (REST services) using DOJO (JavaScript Framework).

Update: I found a solution. Please read my answer below.

+5
source share
3 answers

We can implement SSO between a traditional web application and non-web applications such as RESTful web services. This example shows sample code for implementing single sign-on between a web application and RESTful web services. Below is the configuration in the filespring-security.xml

<security:http create-session="never" use-expressions="true" 
                   auto-config="false" 
                   entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >

        <security:intercept-url pattern="/**" access="permitAll"/>
        <security:intercept-url pattern="/admin/**" access="hasRole('tomcat')"/>
        <security:intercept-url pattern="/**" access="hasRole('tomcat')"/>
        <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter"/>
        <!-- Required for Tomcat, will prompt for username / password twice otherwise -->
        <security:session-management session-fixation-protection="none"/>
    </security:http>

    <bean id="preAuthenticatedProcessingFilterEntryPoint"
                class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>

    <bean id="preAuthFilter"
                class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
        <property name="authenticationManager" ref="appControlAuthenticationManager"/>
        <property name="authenticationDetailsSource"
                        ref="j2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"/>
    </bean> 

    <security:authentication-manager alias="appControlAuthenticationManager">
        <security:authentication-provider ref="preAuthenticatedAuthenticationProvider"/>
    </security:authentication-manager>

    <bean id="preAuthenticatedAuthenticationProvider"
                class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService" ref="inMemoryAuthenticationUserDetailsService"/>
    </bean>

    <bean id="j2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"
                class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
        <property name="mappableRolesRetriever" ref="webXmlMappableAttributesRetriever"/>
        <property name="userRoles2GrantedAuthoritiesMapper" ref="simpleAttributes2GrantedAuthoritiesMapper"/>
    </bean>

    <bean id="webXmlMappableAttributesRetriever"
                class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever"/>

    <bean id="simpleAttributes2GrantedAuthoritiesMapper"
                class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
        <property name="attributePrefix" value=""/>
    </bean>

    <bean id="inMemoryAuthenticationUserDetailsService"
                class="com.org.InMemoryAuthenticationUserDetailsService"/>

The above code is in the web application. Also, the same code can be in the spring security file of the xml security REST project. Add the following code to the file web.xml:

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>

        <user-data-constraint>
            <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
    </login-config>

The above code should only be in a regular web application. Then enable the SSO valve in the tomcat file server.xml. Tomcat uses a cookie-based SSO login. Session IDs are stored in cookies. If your browser has disabled cookies, SSO will not work.

Hope this explanation helps.

+6

Tomcat SSO ( ), . , SSO Tomcat (Spring ) .

Spring SSO, .

+1

Can you explain how to create a class in the following bean:

Is com.org.InMemoryAuthenticationUserDetailsService supposed to be a predefined or custom class?

0
source

More articles:


All Articles