Migrating From Spring Security to Oracle Access Manager

Question

I currently have a web application that is using the Spring Framework for authentication and authorization. I have a customer base that is wanting to implement Oracle Access Manager for authentication and authorization. Does anyone have any ideas how complex this migration will be given my current web application setup below?

Current Web Application:

• uses custom Spring based filter for Single Sign On authentication
• uses Spring form based security
• web application currently uses MySQL and implements the Spring org.springframework.security.core.userdetails.UserDetailsService to authenticate a user against a MySQL table that has a username and encrypted password
• UI is written in JSF/Facelets and uses Hibernate JPA implementation for all CRUD operations to MySQL

Answer 1

I've done a reverse migration once, from Sun Access Manager to plain Spring Security.

From what I've seen in legacy AM access code, your problem may be solved with single custom Spring Security filter, that accesses AM for authentication and authorization using this API (link may be outdated). So customer will be able to manage users and roles in Access Manager, but no architectural changes will be required for application itself.

AM access snippet (not tested):

SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository repo = new AMIdentityRepository(adminToken, "realm_name");
IdSearchResults res = rep.searchIdentities(IdType.USER, uid, new IdSearchControl());

I've never done such integration myself, so maybe more proper ways exist.