All geek questions in one place

How to make a single login using spring security on two domains?

I have a web application and two domains for it - example.com and example.ru

example.com - for international

example.ru - for a local country

My web application uses spring security for authorization users, but if you log in through example.com at example.ru, it is not registered.

How to do this if the login through example.com or example.ru is listed in both domains?

PS: BTW my web application uses authorization through OpenID and OAuth

+6
source share
3 answers

As already mentioned, you need a one-sign solution, Cloudseal provides a spring security extension that includes the spring namespace, so you just need to do something like:

<security:http entry-point-ref="cloudseal"> <security:intercept-url pattern="/protected/user.do" access="IS_AUTHENTICATED_FULLY" /> <security:intercept-url pattern="/protected/admin.do" access="ROLE_ADMIN" /> </security:http> <cloudseal:sso endpoint="http://cloudseal.com" entry-point-id="cloudseal" app-id="quickstart"> <cloudseal:keystore location="WEB-INF/keystore.jks" password="nalle123"> <cloudseal:key name="apollo" password="nalle123" /> </cloudseal:keystore> <cloudseal:metadata location="WEB-INF/idp.xml" /> </cloudseal:sso>

See www.cloudseal.com/platform/spring-security-single-sign-on

+2
source

Although this type of functionality is in no way trivial to achieve, it is actually possible without modifying Spring.

The actual code is too large to publish, so I will try to describe the basic principle and leave you the code.

  • Extend Spring SavedRequestAwareAuthenticationSuccessHandler and implement functionality for serializing and writing an Authentication object for a session cookie with a global scope. See the documentation for the authentication-success-handler-ref attribute in the Spring <sec:http> for more information on how to hook this up. (Note: if the problem is with several web applications in the same domain, you can of course limit the scope of cookies to the current domain).
  • In all your web applications, add a web.xml a <filter> springSecurityFilterChain named springSecurityFilterChain and class org.springframework.web.filter.DelegatingFilterProxy and <filter-mapping> for the filter with the URL pattern /* You do not need to create the actual bean Spring Security provides a default implementation for you.
  • In all of your web applications, add a web.xml a <filter> singleSignonAuthenticationFilterChain named singleSignonAuthenticationFilterChain with class org.springframework.web.filter.DelegatingFilterProxy and matches <filter-mapping> for the filter with the URL /* pattern
  • Now you add a new bean call to singleSignonAuthenticationFilterChain , which should point to the class that implements Filter . In the doFilter() method, verify that there is a session attribute called SPRING_SECURITY_CONTEXT . If there is, then we are already logged in. Otherwise, grab the serialized Authentication token, deserialize it and use SecurityContextHolder.getContext().setAuthentication(authentication) to authenticate the user using Spring. Also, do not forget session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()) or place authentication every time, which is not necessary.

The twist to (4) attribute is that if you find that the SPRING_SECURITY_CONTEXT attribute SPRING_SECURITY_CONTEXT missing, it may be because the user has just left the current web application. In this case, it should be unloaded globally, so in this case you want to delete the cookie containing the serialized authentication token.

It is difficult to write a resume in one page, but I hope you get a general idea. It is currently implemented in a complex application consisting of several web applications, and it works great.

+1
source

This is not possible without changing the spring security code. I did it sometimes, but it’s very difficult to maintain

Cas is the easiest way to do this in the Java world. http://www.jasig.org/cas

0
source

Source: https://habr.com/ru/post/907549/

More articles:


All Articles