• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

SSO in a Spring Application

Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I am sure this is a common issue but I can't find a good example to follow.

I am trying to integrate Jforum in my website, which uses Spring security framework. I have been having a look at SSO with cookie and request.getRemoteUser.

I don't understand how to use getRemoteUser because my website and Jforum are different applications. If I am not wrong, they cannot share the request, so how is it possible to read the username from Jforum being set from my application by Spring Security framework?

I don't like the idea of using a cookie, but I think I'd have the same problem. Two different apps cannot share a cookie. That would be a security issue.

Can anyone give a clue to start from please?



[originally posted on jforum.net by alexcuesta]
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Did you ever find a solution to this? I have been trying to solve this for some days now with no luck (integrating SSO between an Appfuse/Spring Acegi Security Web Application with JForum). Have ready every single SSO post on this forum and still not closer..
Any help will be much appreciated..

Possible solutions are:
Cookie Solution
Firstly, 2 different apps can share the same cookie (providing they come from the same domain, trick is to set the path to / or something like that). I tried this approach (ie. my main application created a cookie with username set to the logged in user) and created my own custom JForum SSO Class. This worked perfectly (and for new Users the JForum User/Profile records were created as expected)... However, I found 1 little security flaw in this approach, the user can manually modify the username in the main Web App Cookie (using a Firefox plugin for example) and this would allow them to submit posts under different users)... Can this little flaw be avoided or did I miss something? If so any help appreciated as I abandoned the cookie approach due to this..

Tomcat Realms
This would seem the obvious choice if you are using Tomcat (to share request.getRemoteUser() between apps), however cant seem to figure out how to integrate Tomcat Realms into an Acegi App..
Google doesnt help much, and the Acegi/Tomcat Realms link seems broken..

Documentation for configuring SSO and Realms in Tomcat is here..(Turning on the Tomcat SSO Valve is easy of course, but for me its not clear how to configure the Realm using Acegi, anyone?).

Not sure the web.xml <security-role> code works with ACEGI...

Use CAS or another SSO Tool
Have found a few web pages suggesting to use CAS for SSO.. Havent investigated this,, seems a bit of an overkill..


[originally posted on jforum.net by fk314]
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
    Bookmark Topic Watch Topic
  • New Topic