Java – How tomplement SSO on existing tomcat web application

javasingle-sign-onspringtomcat7

I have a tomcat 7 setup with oldApp.war and newApp.war deployed on it. Both the applications share the same login credentials for users on the database.

I can access the apps using https://localhost/oldApp and https:localhost/newApp respectively.

My oldApp is a Spring MVC java application and when the user is logged into the oldApp I want to have a link which will take the user into the newApp without asking for the login credentials.

I want to know how to implement SSO to do this. I preferably don't want to run any external service to handle this.

Thanks in advance.

Best Answer

Update: Its 2018 and the below info is out of date. If you’re starting a new application then use a federated identity protocol like Open ID Connect and you’ll get SSO for free.

There are a few approaches you could take:

You could use Tomcat for authentication and use Tomcat's single sign on capabilities. If you're currently using Spring to authenticate the user you may need to change some things. Also, depending on how you're doing authentication, Tomcat's authentication may not be configurable enough.
You could setup a third, CAS, servlet (or something similar), which both web applications authenticate against.
You could set this up yourself using Spring and pre-authenticated filters. You would basically have to write your own pre-authenticated filter which checked some location that both servlets had access to (database?, shared context?) for existing credentials before falling back to old authentication methods. You'll want to make sure to clear this authentication in a filter somewhere so the next request doesn't get to automatically inherit the previous requests credentials.

Related Solutions

SSO with CAS or OAuth

OpenID is not a 'successor' or 'substitute' for CAS, they're different, in intent and in implementation.

CAS centralizes authentication. Use it if you want all your (probably internal) applications to ask users to login to a single server (all applications are configured to point to a single CAS server).

OpenID decentralizes authentication. Use it if you want your application to accept users login to whatever authentication service they want (the user provides the OpenID server address - in fact, the 'username' is the server's URL).

None of the above handle authorization (without extensions and/or customization).

OAuth handles authorization, but it is not a substitute for the traditional 'USER_ROLES table' (user access). It handles authorization for third-parties.

For example, you want your application to integrate with Twitter: a user could allow it to tweet automatically when they update their data or post new content. You want to access some third-party service or resource on behalf of a user, without getting his password (which is obviously unsecure for the user). The application asks Twitter for access, the user authorizes it (through Twitter), and then the app may have access.

So, OAuth is not about Single Sign-On (nor a substitute for the CAS protocol). It is not about you controlling what the user can access. It is about letting the user to control how their resources may be accessed by third-parties. Two very different use-cases.

To the context you described, CAS is probably the right choice.

[updated]

That said, you can implement SSO with OAuth, if you consider the identity of the user as a secured resource. This is what 'Sign up with GitHub' and the likes do, basically. Probably not the original intent of the protocol, but it can be done. If you control the OAuth server, and restrict the apps to only authenticate with it, that's SSO.

No standard way to force logout, though (CAS has this feature).

Java – Implement SSO using CAS + Spring Security

The problem is finally solved. My CAS is using HTTP and therefore need to set secure cookies to false.

Modify ticketGrantingTicketCookieGenerator.xml

p:cookieSecure="false"

Best Answer

Related Solutions

SSO with CAS or OAuth

Java – Implement SSO using CAS + Spring Security

Related Topic