I am sure this is a common issue but I can't find a good example to follow.
I am trying to integrate Jforum in my website, which uses Spring security framework. I have been having a look at SSO with cookie and request.getRemoteUser.
I don't understand how to use getRemoteUser because my website and Jforum are different applications. If I am not wrong, they cannot share the request, so how is it possible to read the username from Jforum being set from my application by Spring Security framework?
I don't like the idea of using a cookie, but I think I'd have the same problem. Two different apps cannot share a cookie. That would be a security issue.
Did you ever find a solution to this? I have been trying to solve this for some days now with no luck (integrating SSO between an Appfuse/Spring Acegi Security Web Application with JForum). Have ready every single SSO post on this forum and still not closer..
Any help will be much appreciated..
Possible solutions are:
Cookie Solution Firstly, 2 different apps can share the same cookie (providing they come from the same domain, trick is to set the path to / or something like that). I tried this approach (ie. my main application created a cookie with username set to the logged in user) and created my own custom JForum SSO Class. This worked perfectly (and for new Users the JForum User/Profile records were created as expected)... However, I found 1 little security flaw in this approach, the user can manually modify the username in the main Web App Cookie (using a Firefox plugin for example) and this would allow them to submit posts under different users)... Can this little flaw be avoided or did I miss something? If so any help appreciated as I abandoned the cookie approach due to this..
Tomcat Realms This would seem the obvious choice if you are using Tomcat (to share request.getRemoteUser() between apps), however cant seem to figure out how to integrate Tomcat Realms into an Acegi App..
Google doesnt help much, and the Acegi/Tomcat Realms link seems broken..