I have a web app that now needs to communicate with another web app. What happens is that the first app (call it App1) will bring up another web browser that is running another app (call it App2).
App1 needs to be able to authenticate a user as does App2. The users are common to both App1 and App2.
What is needed, is a way in which a user, which logs into App1, need not relogin to App2. There will be times though that the user will only need to log into App2 without logging in to App1 (parts of App1 are not secure but all of App2 is).
What is the best way to do something like this? I've looked at JAAS but that seems like way too much effort since i'm just dealing with two web apps runing on the same app server.
What I thought about is creating a web service that takes a username and password and stores off the results of their authentication. App1 could call it and the results could be kept in the service. When App1 invokes App2, it could send a key to use as a lookup (another method provided by the web service). App2 could then use this key to call a method on the web service to see if the user associated with the key is really logged in. If they are, then it could retireve the user information (name and password) from the service and use them as needed. If the user was not already logged on, then App2 could simply request the username and password from the user.
Of course, there will need to be some mechanism in the web service that times out the logon, and that will probably need to be synchronized with the App2's session timeout.
What you�re trying to achieve is usually named single sign-on security and there are many ways of implementing such strategies. Sometimes third parties software might be involved (like acegi security) or container specific tools (if you�re using weblogic then you�re saved for example) or simply ad-hoc solutions as the one you want to implement. The most basic and unsecured way to provide such a solution would be to provide a link on one of the the App1�s pages that looks like this:
And by only looking to this example you�ve got the idea (basically you�ll fake the submit form of the login page). It works and for convenience I used to do it lot of times with intranet applications, where security is not always a big issue. This could be easily improved having a third component (like a web service as you�re thinking) that can do the same. However it still is not secure enough and the best way to do it is to look for other sso solutions, starting with your container enhancements. The solution won�t be portable but it might fit perfect your organization needs. I also used to build IdentityAssertionProviders, as well as RoleMappers for weblogic and they work really nice and represent the best sso solution for an organization that uses a specific app server. Regards.
I've been looking at SSO (why I mentioned JAAS) but it just seems like overkill, and a lot of effort.
Not really and not always. If you're using WebLogic, take a look at IdentityAssertionProviders, they are easy to implement and won't require any code changes on your app side. Other containers might have similar solutions. Regards.
I think, therefore I exist -- Rene Descartes
She's out of the country right now, toppling an unauthorized dictatorship. Please leave a message with this tiny ad: