Hi,
Did you ever find a solution to this? I have been trying to solve this for some days now with no luck (integrating SSO between an Appfuse/Spring Acegi Security Web Application with JForum). Have ready every single SSO post on this forum and still not closer..
Any help will be much appreciated..
Possible solutions are:
Cookie Solution
Firstly, 2 different apps can share the same cookie (providing they come from the same domain, trick is to set the path to / or something like that). I tried this approach (ie. my main application created a cookie with username set to the logged in user) and created my own custom JForum SSO Class. This worked perfectly (and for new Users the JForum User/Profile records were created as expected)... However, I found 1 little security flaw in this approach, the user can manually modify the username in the main Web App Cookie (using a Firefox plugin for example) and this would allow them to submit posts under different users)... Can this little flaw be avoided or did I miss something? If so any help appreciated as I abandoned the cookie approach due to this..
Tomcat Realms
This would seem the obvious choice if you are using Tomcat (to share request.getRemoteUser() between apps), however cant seem to figure out how to integrate Tomcat Realms into an Acegi App..
Google doesnt help much, and the Acegi/Tomcat Realms link seems broken..
http://forum.springsource.org/archive/index.php/t-29412.html
Documentation for configuring SSO and Realms in Tomcat is here..(Turning on the Tomcat SSO Valve is easy of course, but for me its not clear how to configure the Realm using Acegi, anyone?).
http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Single%20Sign%20On
http://tomcat.apache.org/tomcat-5.5-doc/config/realm.html
Not sure the web.xml <security-role> code works with ACEGI...
http://www.jforum.net/posts/list/15/1714.page#17089
Use CAS or another SSO Tool
Have found a few web pages suggesting to use CAS for SSO.. Havent investigated this,, seems a bit of an overkill..
http://www.nabble.com/Check-CAS-login-for-unprotected-pages-td17561069.html
FK
[originally posted on jforum.net by fk314]