Java – spring security, tomcat, getRemoteUser method

From Spring Documentation:

The @Repository annotation is a marker for any class that fulfils the role or stereotype of a repository (also known as Data Access Object or DAO). Among the uses of this marker is the automatic translation of exceptions, as described in Exception Translation.

Spring provides further stereotype annotations: @Component, @Service, and @Controller. @Component is a generic stereotype for any Spring-managed component. @Repository, @Service, and @Controller are specializations of @Component for more specific use cases (in the persistence, service, and presentation layers, respectively). Therefore, you can annotate your component classes with @Component, but, by annotating them with @Repository, @Service, or @Controller instead, your classes are more properly suited for processing by tools or associating with aspects.

For example, these stereotype annotations make ideal targets for pointcuts. @Repository, @Service, and @Controller can also carry additional semantics in future releases of the Spring Framework. Thus, if you are choosing between using @Component or @Service for your service layer, @Service is clearly the better choice. Similarly, as stated earlier, @Repository is already supported as a marker for automatic exception translation in your persistence layer.

We can implement the SSO between traditional web application and non web based application like the RESTful web services. This example shows the sample code for implementing the SSO between web application and RESTful web services. The following is the configuration in the spring-security.xml file

<security:http create-session="never" use-expressions="true" 
                   auto-config="false" 
                   entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >

        <security:intercept-url pattern="/**" access="permitAll"/>
        <security:intercept-url pattern="/admin/**" access="hasRole('tomcat')"/>
        <security:intercept-url pattern="/**" access="hasRole('tomcat')"/>
        <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter"/>
        <!-- Required for Tomcat, will prompt for username / password twice otherwise -->
        <security:session-management session-fixation-protection="none"/>
    </security:http>

    <bean id="preAuthenticatedProcessingFilterEntryPoint"
                class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>

    <bean id="preAuthFilter"
                class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
        <property name="authenticationManager" ref="appControlAuthenticationManager"/>
        <property name="authenticationDetailsSource"
                        ref="j2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"/>
    </bean> 

    <security:authentication-manager alias="appControlAuthenticationManager">
        <security:authentication-provider ref="preAuthenticatedAuthenticationProvider"/>
    </security:authentication-manager>

    <bean id="preAuthenticatedAuthenticationProvider"
                class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService" ref="inMemoryAuthenticationUserDetailsService"/>
    </bean>

    <bean id="j2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"
                class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
        <property name="mappableRolesRetriever" ref="webXmlMappableAttributesRetriever"/>
        <property name="userRoles2GrantedAuthoritiesMapper" ref="simpleAttributes2GrantedAuthoritiesMapper"/>
    </bean>

    <bean id="webXmlMappableAttributesRetriever"
                class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever"/>

    <bean id="simpleAttributes2GrantedAuthoritiesMapper"
                class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
        <property name="attributePrefix" value=""/>
    </bean>

    <bean id="inMemoryAuthenticationUserDetailsService"
                class="com.org.InMemoryAuthenticationUserDetailsService"/> 

The above code is in the web application. Also the same code can be in the REST project's spring security xml file. Add the following code into the web.xml file:

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>

        <user-data-constraint>
            <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
    </login-config>

The above code should be only in the normal web application. Then enable the SSO valve in the tomcat's server.xml file. Tomcat uses the cookie based SSO login. The session ids are stored in the cookies. If your browser disabled the cookie, then SSO will not work.

Hope this explanation helps.