• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

SSO in a Spring Application

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am sure this is a common issue but I can't find a good example to follow.

I am trying to integrate Jforum in my website, which uses Spring security framework. I have been having a look at SSO with cookie and request.getRemoteUser.

I don't understand how to use getRemoteUser because my website and Jforum are different applications. If I am not wrong, they cannot share the request, so how is it possible to read the username from Jforum being set from my application by Spring Security framework?

I don't like the idea of using a cookie, but I think I'd have the same problem. Two different apps cannot share a cookie. That would be a security issue.

Can anyone give a clue to start from please?

Cheers,

Alex

[originally posted on jforum.net by alexcuesta]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Did you ever find a solution to this? I have been trying to solve this for some days now with no luck (integrating SSO between an Appfuse/Spring Acegi Security Web Application with JForum). Have ready every single SSO post on this forum and still not closer..
Any help will be much appreciated..

Possible solutions are:
Cookie Solution
Firstly, 2 different apps can share the same cookie (providing they come from the same domain, trick is to set the path to / or something like that). I tried this approach (ie. my main application created a cookie with username set to the logged in user) and created my own custom JForum SSO Class. This worked perfectly (and for new Users the JForum User/Profile records were created as expected)... However, I found 1 little security flaw in this approach, the user can manually modify the username in the main Web App Cookie (using a Firefox plugin for example) and this would allow them to submit posts under different users)... Can this little flaw be avoided or did I miss something? If so any help appreciated as I abandoned the cookie approach due to this..

Tomcat Realms
This would seem the obvious choice if you are using Tomcat (to share request.getRemoteUser() between apps), however cant seem to figure out how to integrate Tomcat Realms into an Acegi App..
Google doesnt help much, and the Acegi/Tomcat Realms link seems broken..
http://forum.springsource.org/archive/index.php/t-29412.html

Documentation for configuring SSO and Realms in Tomcat is here..(Turning on the Tomcat SSO Valve is easy of course, but for me its not clear how to configure the Realm using Acegi, anyone?).
http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Single%20Sign%20On
http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html

Not sure the web.xml <security-role> code works with ACEGI...
http://www.jforum.net/posts/list/15/1714.page#17089

Use CAS or another SSO Tool
Have found a few web pages suggesting to use CAS for SSO.. Havent investigated this,, seems a bit of an overkill..
http://www.nabble.com/Check-CAS-login-for-unprotected-pages-td17561069.html

FK

[originally posted on jforum.net by fk314]
 
Your buns are mine! But you can have this tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic