CODEWITHSUNDEEP
springspring-mvcspring-security
Matt Burton
Matt Burton

Reputation: 61

Spring Security with Legacy Single Sign-On

I am running into some issues while attempting to use Spring Security to secure a new Spring MVC application using an existing (read: very "legacy") single sign-on solution.

DISCLAIMER: I'm relatively familiar with Spring as a whole, but not at all with Spring Security; please forgive my ignorance.

The SSO service works like so:

  1. User navigates to their Web app of choice: http://apps.myco.com/webapp123
  2. User is not authenticated, so they are redirected to http://sso.myco.com/login and prompted to log in
  3. User is authenticated and directed back to the app with a token attached to the query string: http://apps.myco.com/webapp123?token=ABCD1234
  4. On each page load (JSP pages, currently) the user's token is pulled from the query string and then fired off via a SOAP call back to the SSO service in order to check the token's validity. The SSO service gives the thumbs-up or thumbs-down for the token (thumbs-up if the token is valid and still current; otherwise, thumbs-down)
  5. If the token is valid, another SOAP call can made to get the username, if that's required

The SSO service doesn't handle user credentials for authorization, so that has to be handled on a per-application basis :(

As I understand it, the generally accepted practice here would be to use Spring Security's preauthentication framework, but I'm (a) not sure if I'm correct in that assumption, and (b) not sure that I need everything that comes with that solution.

Currently, I have a LoginUrlAuthenticationEntryPoint bean defined which directs unauthenticated users to the SSO site:

<beans:bean id="customAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg value="http://sso.myco.com/login" />
</beans:bean>

The entry point is wired up like so:

<http use-expressions="true" entry-point-ref="customAuthenticationEntryPoint">
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/edit/**" access="isAuthenticated()" />
    <intercept-url pattern="/setup/**" access="hasRole('setup')" />
    <intercept-url pattern="/admin/**" access="hasRole('admin')" />
</http>

The sticking point for me is where to hook in to receive the "callback" from the SSO service. What I'd like is to have a URL (say, http://apps.myco.com/webapp123/auth?token=ABCD1234) that accepts these redirects from the SSO service, validates the token and retrieves the user name from SSO, then saves all of that information within the Spring Security context. There's a good chance I'm on the wrong road, however, or maybe I'm just missing a piece or two.

Any help or guidance is greatly appreciated.

Upvotes: 3

Views: 2989

Answers (2)

dardo
dardo

Reputation: 4970

Ok, so here is what I would do:

I would subclass AbstractAuthenticationProcessingFilter, setting the authenticationManager to the Authentication Manager you have wired in the Spring Security xml. You really should only have to override the attemptAuthentication method. This method takes in the request and response objects allowing access to your URL parameter, etc.

If authentication is a success, you just need to return an Authentication object and Spring security should handle putting the user into the context, etc.

Here is the documentation:

http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html

Hope this helps!

Edit:

Might want to take a look how a direct subclass of this is implemented by the guys at Spring, in this case the UsernamePasswordAuthenticationFilter located here:

http://www.jarvana.com/jarvana/view/org/springframework/security/spring-security-web/3.0.5.RELEASE/spring-security-web-3.0.5.RELEASE-sources.jar!/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java?format=ok

Upvotes: 1

Ritesh
Ritesh

Reputation: 7522

I would recommend implementing a custom Voter to assign roles (setup, admin etc.) based on token-validity and user details. Please see Voting-Based AccessDecisionManager Implementations and the blog referenced there: SPRING SECURITY CUSTOMIZATION (PART 2 – ADJUSTING SECURED SESSION IN REAL TIME)

Upvotes: 0

Related Questions