How can do single login with spring security on two domains?

Question

I have web application and two domains for it - example.com and example.ru

example.com - for international

example.ru - for local country

My web app usin

Answer 1

As mentioned you need a single sign on solution, Cloudseal provides a spring security extension which includes a spring namespace so you just need to do something like:

<security:http entry-point-ref="cloudseal">
    <security:intercept-url pattern="/protected/user.do" access="IS_AUTHENTICATED_FULLY" />
    <security:intercept-url pattern="/protected/admin.do" access="ROLE_ADMIN" />
</security:http>

<cloudseal:sso endpoint="http://cloudseal.com" entry-point-id="cloudseal" app-id="quickstart">
    <cloudseal:keystore location="WEB-INF/keystore.jks" password="nalle123">
        <cloudseal:key name="apollo" password="nalle123" />
    </cloudseal:keystore>
    <cloudseal:metadata location="WEB-INF/idp.xml" />
</cloudseal:sso>

See www.cloudseal.com/platform/spring-security-single-sign-on

Answer 2

It's impossible without modifying spring security code. I did it sometimes ago but is very hard to maintenance

Cas is the easeiest way to this in java world. http://www.jasig.org/cas

Answer 3

While this type of functionality is by no means trivial to achieve, it is in fact possible without modifying Spring.

The actual code is too large to post, so I'll try to outline the basic principle and leave the coding to you.

1. Extend Spring's SavedRequestAwareAuthenticationSuccessHandler and implement functionality to serialize and write the Authentication object to a Session cookie with a global scope. See documentation for the authentication-success-handler-ref attribute in Spring's <sec:http> tag for more information on how to wire this up. (Note: If the problem were sso across multiple web apps on the same domain, you could of course limit the cookie scope to the current domain).
2. In all your web apps, add to web.xml a <filter> definition named springSecurityFilterChain and class org.springframework.web.filter.DelegatingFilterProxy and a <filter-mapping> for the filter with a URL pattern of /* You don't have to create the actual bean, Spring Security provides a default implementation for you.
3. In all your web apps, add to web.xml a <filter> definition named singleSignonAuthenticationFilterChain with class org.springframework.web.filter.DelegatingFilterProxy and a corresponding <filter-mapping> for the filter with a URL pattern of /*
4. Now you add a new bean called singleSignonAuthenticationFilterChain, which should point to a class that implements Filter. In the doFilter() method, check if there is a session attribute called SPRING_SECURITY_CONTEXT. If there is, then we are already logged in. Otherwise, take the serialized Authentication token, deserialize it and use SecurityContextHolder.getContext().setAuthentication(authentication) to authenticate the user with Spring. Also remember to session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()) or the authentication will take place each time, which is unnecessary.

A twist to (4) is that if you find out that there is no attribute called SPRING_SECURITY_CONTEXT, then it could be because the user has just logged out from the current web application. In this case he must be logged out globally, so you want to remove the cookie containing the serialized authentication token in this case.

It's kind of complex to write up in a one page summary, but I hope you get the general idea. We currently have this implemented in a complex application consisting of multiple web applications, and it works nicely.