Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to implement single sign on across multiple JVM based applications using Spring Security

Tags:

java

jakarta-ee

spring-security

I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.

I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.

In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.

Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?

Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.

Thanks in advance.

like image 798
Patrick McDaniel Avatar asked Oct 06 '22 05:10

Patrick McDaniel

1 Answers

I ended up solving this problem by doing the following:

I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)

Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.

Hopefully that helps someone else in the future for this type of request.

like image 132
Patrick McDaniel Avatar answered Oct 10 '22 03:10

Patrick McDaniel
Sign in to Comment

Related questions

Why ScheduledExecutorService doesn't print stack trace?
JTextPane/JTextField strange behaviour with rare characters
Java packages and classes
Monitor Object Creation using ASM in Java
Optimize circle inside circle detection algorithm lower than O(n²)
unable to refer library project android on updated adt
Can I set the size of individual panels in a CardLayout?
mapping UML relationships to java
Finding typos in a list of words
Tomcat thread waiting on and locking the same resource
failed to set up gradle: 'Could not find the main class: org.gradle.launcher.GradleMain.'
How do I set the AccessControlContext in Java?
How to remove disable breakpoints I did not set?
Running sonar analysis with mvn sonar:sonar ignores sonar-project.properties
ListView random IndexOutOfBoundsException on Froyo
Best way to read and write webp format images in java [closed]
How to set the (OAuth token) Authorization Header on an Android OKHTTPClient request
Whether to use invokeAll or submit - java Executor service
What's the trade-off between using GetPrimitiveArrayCritical and Get<PrimitiveType>ArrayRegion?
How to use org.w3c.dom.NodeList with Java 8 Stream API?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!