Multiple Spring Projects, shared authentication

Question

I've around 10 Spring-MVC projects which are deployed on a Wildfly server at home. These projects have been running for quite a while and have always been private.

However a few friends of mine have requested access, and I'm willing to give it to them. I'm planning on doing this by building a web application with AngularJS. This application will communicate with the Spring-MVC projects by calling RESTful endpoints. However some people may have access to a subset of services. I want people to register and login with those details or login by using OpenID.

This results in having to add authentication and authorization to those projects. Which can be done with Spring Security. However I don't want to implement this logic in each service.

Is it possible to create an extra service and let people login or register on this service? And let the other services check the authentication status by using this service?

Which Spring-Security security model would be smart to use (OAuth 1.0, OAuth 2.0, Basic Authentication etc)?

Is there an alternative way to implement my requirements?

Answer 1

The usual solution is to put all the servers behind a common authenticating proxy, that serves to users a common-looking login page. The authenticating proxy checks the identity of the user by comparing the username and password against values registered in an LDAP or database table, or via OpenId.

If the authentication is successful, the proxy will start redireting the users requests to the server to which the user was authenticated.

Each request forwarded from the proxy to the end server carries a pre-authentication header containing credentials that prove to the applications that the redirected request came indeed from the proxy, and that it's not a forged request.

Each Spring application is setup not to serve a login page, but to check the pre-authentication header instead. This is the Spring documentation to setup Pre-Authentication.

Have a look at this example of integration with the Siteminder authentication proxy.

The core of this solution is that the users don't make requests directly to the end servers, it all goes through the proxy that in your case needs to support OpenId.