Reputation: 6248
How to use SSO on multiple spring security web applications without SAML?
I know its common question but I did not find any suitable solution for my requirement. Sorry for posting similar question.
We have one web application (spring security enabled) which takes care of the user login mechanism. And then we have many other web applications (spring security enabled) which are accessed through hyperlinks in the first application.However other applications having own userbase but I am planning to use LDAP for centralizing userbase. How to achieve SSO in this scenario without SAML? Please clarify. If I go with SAML then will it help in my case?
Many thanks
Upvotes: 3
Views: 1633
Answers (2)
Reputation: 2699
Disclaimer: I'm the Chairman of CAS and founder of CAS in the cloud (https://www.casinthecloud.com).
It's hard to safely recreate a SSO in your case. I would go for an existing solution (like CAS) with which Spring Security easily integrates.
Upvotes: 1
Reputation: 2939
Theoretically you need a federation mechanism like SAML to make sure application are secure enough. OAuth will be one option as long as you have central auth server to validate the key.
You can implement some simple tricks if you are trying to protect relatively less sensitive/valuable resources.
For example, Spring will recognize user as long as you set Authentication in SecurityContextHolder. It can be done programmatically too.
public static void setUserAuthentication(Authentication authentication){
SecurityContextHolder.getContext().setAuthentication(authentication);
}
Now as long as you create Authentication object with principle and authorities, Spring security authorize to access protected resource. You may need to create a controller (a simple FederationController) to do this task.
FederationController in every application can accept two parameter, one secure key, and redirect url. Secure key needs to be generated by who ever authenticating user with credentials (here first application user logged in). FederationController can verify this key and set authentication object in SecurityContextHolder then redirect to protected resource.
If you need central logout, that is even more complicated.
Upvotes: 1
Related Questions
- Single Sign On(SSO) using SAML with Spring Security
- Spring SAML Security Integration with Spring Web application
- Support SAML SSO and normal login
- how to implement sso in my spring application using saml?
- Spring saml SSO
- Spring security based SSO for multiple web applications
- SSO and SAML - Multiple Services Providers
- Shared authentication and SSO between two webapps
- Can I use SAML with another authentication provider in a single web application
- Implementing SSO for web application hosted on different servers