stackoom
  简体   繁体   中英

Spring Security SSO

 原文  2013-11-08 11:03:56       java/ spring/ spring-security/ glassfish/ single-sign-on

Question

I would like to include SSO to my J2EE projects. I'm trying to find a solution which does not need another server than my application server.

Here's the environment :

  • Glassfish v3.1.2
  • 2 identical projects using Spring MVC / Security (let's say project1 and project2)

What do projects implement :

  • a simple ajax login form

  • a controller with login and test methods : 

     @Controller public class ProjectController { public static final String REMEMBER_ME_ACTIVE = "on"; @Autowired SecurityContextRepository repository; @Autowired RememberMeServices rememberMeServices; @RequestMapping(value = "/login", method = RequestMethod.GET) public Object login(HttpServletRequest request, HttpServletResponse response) { System.out.println("[GET] login"); System.out.println(SecurityContextHolder.getContext().getAuthentication()); System.out.println(request.getSession().getId()); return new ModelAndView("login"); } @RequestMapping(value = "/login", method = RequestMethod.POST) @ResponseBody public Object login(@RequestParam("j_username") String username, @RequestParam("j_password") String password, @RequestParam("_spring_security_remember_me") String rememberMe, HttpServletRequest request, HttpServletResponse response) { System.out.println("[POST] login"); System.out.println(SecurityContextHolder.getContext().getAuthentication()); System.out.println(request.getSession().getId()); try { UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password); SecurityContext context = SecurityContextHolder.getContext(); context.setAuthentication(token); repository.saveContext(context, request, response); if (REMEMBER_ME_ACTIVE.equals(rememberMe)) { rememberMeServices.loginSuccess(request, response, token); } return "OK"; } catch (BadCredentialsException e) { return "BadCredentialsException"; } catch (Exception e) { e.printStackTrace(); return "Exception : " + e.getMessage(); } } @RequestMapping(value = "/test", method = RequestMethod.GET) public Object test(HttpServletRequest request, HttpServletResponse response) { System.out.println("[GET] test"); System.out.println(SecurityContextHolder.getContext().getAuthentication()); System.out.println(request.getSession().getId()); return new ModelAndView("test"); } }

  • spring-security.xml : 

     <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- security config --> <http auto-config="false" use-expressions="true" > <http-basic/> <intercept-url pattern="/login" access="hasRole('ROLE_ANONYMOUS')"/> <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /> <form-login login-page="/login" login-processing-url="/spring/login" authentication-failure-url="/login" default-target-url="/" always-use-default-target="true" /> <remember-me services-ref="tokenBasedRememberMeServices" key="XXXXXX_1234567890" use-secure-cookie="true" /> <logout logout-url="/spring/logout" invalidate-session="false" logout-success-url="/login" /> <session-management invalid-session-url="/login" session-fixation-protection="newSession"> <concurrency-control max-sessions="3" error-if-maximum-exceeded="false" expired-url="/login" session-registry-ref="sessionRegistry" /> </session-management> </http> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <!-- authentication config --> <authentication-manager> <authentication-provider ref="userAuthenticationProvider"/> </authentication-manager> <beans:bean id="userAuthenticationProvider" class="be.xxx.spring.security.UserAuthenticationProvider" /> <beans:bean id="tokenBasedRememberMeServices" class="be.xxx.spring.security.TokenBasedRememberMeServices"> <beans:constructor-arg name="key" value="XXXXXX_1234567890"/> <beans:constructor-arg name="userDetailsService" ref="userDetailsService"/> </beans:bean> <beans:bean id="userDetailsService" class="be.xxx.spring.security.UserDetailsService" /> </beans:beans>

Till now, I found that Glassfish was supporting SSO as written here but it does not seem to work alongside Spring Security. When logged-in in project1, I can't see JSESSIONIDSSO. So when I start project2, it sends me the login form... Also tried to specify the same realm-name in web.xml but no changes.

After some googleing, I found some things about PreAuthenticationFilter but I really don't know how to implement a SSO solution with this.

Could you help me to find out a solution ?

Thanks,

Smoky

1 answers

solution1
 0  2014-04-15 10:42:45

如果项目相同,则始终可以使用粘性会话并在项目之间共享会话。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSO Spring Security and JSF External SSO with spring security siteminder sso and spring security testing Spring Security + CAS SSO AuthenticationManager Spring security : handling SSO and DB users Spring Security - caching credentials from SSO Spring security - implement oauth2 sso Single Sign On(SSO) using SAML with Spring Security Implement SSO using CAS + Spring Security SSO authentication combining Kerberos, ADFS and Spring Security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM