SSO with 2 spring applications in different Tomcats

Question

I have been asked to do an integration of our webapp into a 3rd party webapp

• both have identical Spring security configurations
• the entry point will always be the 3rd party webapp
• integration will be through IFrame unless there is a better way for SSO

So if you had both webapps in the same Tomcat instance from what I know you could enable the SSO widget and you'd get SSO across webapps but for a number of reasons we are running the webapps in their own Tomcat servers.

I've used Jasig CAS before to manage SSO services, but because the main webapp is not designed or maintained by us and there is only one entry point, I'm looking for a less invasive way of managing authentication across the services.

Would a Cookie suffice of should I be looking at something else?

Answer 1

After thinking about it, I can see 3 main possibilities :

• move authentication to CAS on both application. Pros : strong and validated solution, CasAuthenticationProvider can use the existing AuthenticationUserDetailsService to load roles, will allow to first authentication on any application based on this cas server (even if not a current requirement) - Cons : maybe a heavy configuration for only 2 applications
• use the session cookie of first application as a reference. If you can manage to get it on second app, you use a custom pre authenticated filter that get the cookie and asks userId from first app. Pros : provided there is one page where you can get the userId (user name or ...) in first app, you have nothing to change in it - Cons : you may have to put a common reverse proxy before the 2 apps to make them seem to come form same server to be able to get the cookie in second app, looks like a man in the middle attack, may require a custom session cookie for second app
• add a custom filter on first app that sets a custom cookie containing a token, and retrievable by second app. The filter should also intercept an url and send back the userId when the token is submitted. Then on second app add a custom pre-authenticated filter that just gets this token and asks userId to first filter. Pros : adds a simple filter in first application with little interaction with the remaining of the app, seem reasonably simple and robust - Cons : Needs custom filters on both applications and because of that extensive testing

I would advice you to consider the 1st or 3rd solution, even if they require slight modification of spring security on a 3rd party application, because the 2nd sounds really a dirty hack