File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JForum and the fly likes SSO in a Spring Application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JForum
Bookmark "SSO in a Spring Application" Watch "SSO in a Spring Application" New topic

SSO in a Spring Application

Migrated From
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424

I am sure this is a common issue but I can't find a good example to follow.

I am trying to integrate Jforum in my website, which uses Spring security framework. I have been having a look at SSO with cookie and request.getRemoteUser.

I don't understand how to use getRemoteUser because my website and Jforum are different applications. If I am not wrong, they cannot share the request, so how is it possible to read the username from Jforum being set from my application by Spring Security framework?

I don't like the idea of using a cookie, but I think I'd have the same problem. Two different apps cannot share a cookie. That would be a security issue.

Can anyone give a clue to start from please?



[originally posted on by alexcuesta]
Migrated From
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424

Did you ever find a solution to this? I have been trying to solve this for some days now with no luck (integrating SSO between an Appfuse/Spring Acegi Security Web Application with JForum). Have ready every single SSO post on this forum and still not closer..
Any help will be much appreciated..

Possible solutions are:
Cookie Solution
Firstly, 2 different apps can share the same cookie (providing they come from the same domain, trick is to set the path to / or something like that). I tried this approach (ie. my main application created a cookie with username set to the logged in user) and created my own custom JForum SSO Class. This worked perfectly (and for new Users the JForum User/Profile records were created as expected)... However, I found 1 little security flaw in this approach, the user can manually modify the username in the main Web App Cookie (using a Firefox plugin for example) and this would allow them to submit posts under different users)... Can this little flaw be avoided or did I miss something? If so any help appreciated as I abandoned the cookie approach due to this..

Tomcat Realms
This would seem the obvious choice if you are using Tomcat (to share request.getRemoteUser() between apps), however cant seem to figure out how to integrate Tomcat Realms into an Acegi App..
Google doesnt help much, and the Acegi/Tomcat Realms link seems broken..

Documentation for configuring SSO and Realms in Tomcat is here..(Turning on the Tomcat SSO Valve is easy of course, but for me its not clear how to configure the Realm using Acegi, anyone?).

Not sure the web.xml <security-role> code works with ACEGI...

Use CAS or another SSO Tool
Have found a few web pages suggesting to use CAS for SSO.. Havent investigated this,, seems a bit of an overkill..


[originally posted on by fk314]
I agree. Here's the link:
subject: SSO in a Spring Application
It's not a secret anymore!