Process remote authentification with Spring security

Question

I am trying to do some remote logging from a distant webpage to our portal. The user from the distant webpage has login / password fields that he will submit to process authentification in our portal. If everything is ok, he will be logged.If it fails, he will be redirected to portal's standard login page with matching validation error (i.e. "invalid login/password").

I tried to do it through a servlet, hoping that form's security fields will be transported through requests until they reached the portal's login page.

Unfortunately, they look like they did not reach it, since I always get an "invalid password / login" error.

Since I am really unexperienced with Spring, I am really not sure of how I could achieve it. I may consider passing info through BASE 64 encoded data, but I don't know either how to pass those info to Spring, and also not sure this is a secured way to do it.

So, if any of you have any idea, I will read it with pleasure!

Here's the remote form code :

<form id="connexion">
    <input id="j_username" name="j_username" type="text" value="Email" class="field"/>
    <input id="j_password" name="j_password" type="password" value="Mot de passe" class="field"/>
    <input type="button" class="btn" value="OK" onClick="javascript:register()"/>
</form>


function register(){

  urlSite=http://localhost:8080/monApp/DistantLogingServlet
this.document.location=urlSite

}

The servlet part :

 /**
 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
 * @param request 
 * @param response 
 * @throws IOException 
 * @throws ServletException 
 */
 protected final void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException {

    final ExternalContext context = FacesUtils.getFacesContext( request, response, servletContext).getExternalContext();

    final RequestDispatcher dispatcher = request.getRequestDispatcher("/j_spring_security_check");

    dispatcher.forward(request, (ServletResponse) context.getResponse());

    FacesContext.getCurrentInstance().responseComplete();
}

The portal's standard login page (jsp):

<h:inputSecret
  id="j_password"
  type="text"
  name="j_password"
  value="#{user.password}"/>

<h:selectBooleanCheckbox
  id="_spring_security_remember_me"
  name="_spring_security_remember_me"
  value="#{user.rememberme}"
  class="float-left" /> 

<h:commandButton
  action="#{user.doLogin}"/>

And the java authentification part :

public final String doLogin() throws IOException, ServletException {

    final ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();

    final HttpServletRequest request = ((HttpServletRequest) context.getRequest());

    final RequestDispatcher dispatcher = request.getRequestDispatcher("/j_spring_security_check");

    dispatcher.forward(request, (ServletResponse) context.getResponse());

    FacesContext.getCurrentInstance().responseComplete();

    // It's OK to return null here because Faces is just going to exit.
    return null;

}

Thanks in advance for your interest!

Answer 1

This looks like a Single Sign On scenario.

So.

If the user is already logged in to an application you trust, you don't need a login form on your portal.

Some of the standard approaches for doing this is either CAS or Open ID, Spring Security supports both.

The third approach is to set a cookie on the user's browser when he successfully logs in to the remote site and look for that cookie with a spring filter. The filter that is normally used for this is the AbstractPreAuthenticatedProcessingFilter (it's subclasses actually).

I would also point you to the Pre-Authentication scenarios part of the Spring Security docs.