Reputation: 2538
Spring Security authorization remotely
I am currently working on Spring Security 4 and everything works fine using default configuration. However, as I hold Spring web application on one machine (192.168.0.1) and HTML Server on another (192.168.0.2), how can I configure the Spring Security to authorization using login form on 192.168.0.2.
Spring Security configuration:
<http use-expressions="true" auto-config="true" >
default-target-url="http://192.168.0.2/home.html"
</http>
Currently, in the login form on 192.168.0.2, I use
<form method="post" action="http://192.168.0.1:8080/xxx/login">
<input type="text" required name="username"/>
<input type="password" required name="password"/>
<button type="submit">Sign in</button>
</form>
On 192.168.0.2, the user can pass the authorization. However, I cannot find any JSESSIONID in the cookie on 192.168.0.2 or any relevant thing.
My question is, what king of information should I included in the followup ajax request in order to let the Spring Security know who I am?
BTW, if my authorization fails, browser will be redirected to 192.168.0.1/xxx/login, how can I stay in my custom login page?
Thanks.
Upvotes: 0
Views: 1402
Answers (1)
Reputation: 10633
To make things simpler lets say you have two machines named.
AppIp : 192.168.0.1
StaticIp : 192.168.0.2
Now when you load the form in browser it hits StaticIp. Which in turn submits to AppIp.
Here's what's happening. When you submit the form to AppIp, it returns the JSESSIONID or any other Cookie to be set for AppIp. So the browser does the same, it sets the cookie for AppIp not StaticIp.
One domain (like google.com) can read/write only it's own cookies. Browser won't set a cookie sent by google for facebook.
That's why you can't see the cookies in StaticIp resources, if you load the AppIp you would be able to see cookies in it's resources.
Solution is to have a proxy server in front of both the servers. For example Apache HTTPd or NGINX.
Now suppose that proxy server is ProxyIp and the configuration is done as following.
ProxyIp/static maps to http://192.168.0.2/ (or http://AppIp/)
ProxyIp/app maps to http://192.168.0.1/ (or http://StaticIp/)
So now the form URL becomes http://ProxyIp/static/home.html
And /login URL would become http://ProxyIp/app/xxx/login
Now for the browser there's only one domain ProxyIp and it would be able to set the cookies for both the mapped servers.
Note: You can't send normal Ajax cross domain requests. Browser will block all such attempts. Ajax requests can only be sent to domain which loaded the HTML where the script for Ajax was executed. It can be done with some configuration for CORS, but that's too much pain and sweat.
Upvotes: 2
Related Questions
- What is difference between CrudRepository and JpaRepository interfaces in Spring Data JPA?
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- Difference between Role and GrantedAuthority in Spring Security
- How Spring Security Filter Chain works
- Why Spring Security application redirects to login page though we don't provide spring security configuration?
- Spring security login form always redirect to authfailed
- spring security custom AuthenticationProvider is called twice and fails
- Spring Security intercept does not work
- spring security can't login
- Spring security no password