StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSpring Security and logging in from another site without reentering credentials
primarykey
Id
20398895
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
4
CommunityOwnedDate
CreationDate
2013-12-05T11:33:41.287
FavoriteCount
0
LastActivityDate
2013-12-12T12:00:49.140
LastEditDate
2017-05-23T12:29:15.337
LastEditorUserId
-1
OwnerUserId
1966859
ParentId
0
PostTypeId
1
Score
0
ViewCount
1084
LastEditorDisplayName
text
Body
As the title of the post says, I'm integrating Spring Security in my already working Spring MVC web app and I need that other site's users can open a link from that site to mine and be already logged in, without the hassle of reentering the user name and the password and without causing the other web site's developer to change too many things. The users will always log in first on the other site and then come to mine, but never the other way around. Both web applications are for internal use of a single company, with no access to the hosting servers from any outsider network, and both sites can access the same user database. Despite being this scenario quite secure (not public web sites) I need the solution to be as safe as possible. There are several approches I've seen after searching for some time: <ol> <li>Single Sign On solution, being CAS the most mentioned. However, all examples of this that I've seen so far require the user to reenter credentials, which I want to avoid.</li> <li>Use a token generator in a three-step-handshaking process involving web services, like stated in this post <a href="https://stackoverflow.com/questions/351873/passing-credentials-between-sites">Passing credentials between sites</a></li> <li>Encrypt user and password credentials and send them through the URL itself</li> </ol> As I told you I need the safest and simplest way to do this, considering the above explanations. I would also appreciate some code about the solution (mostly bean configuration in Spring Security and services/java classes to deal with this). Thanks!! EDIT : I found a different and simpler approach to solve my particular case. The main web page where users log in can redirect to mine doing a POST request that should include a parameter "login". Then I only have to get this parameter and force this user to be authenticated within the security context. I'll post the code but I'm still having one issue, just keep reading till the end: Web.xml <pre><code><?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/applicationContext.xml /WEB-INF/applicationContext-security.xml </param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet> <servlet-name>dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>/WEB-INF/log4j.properties</param-value> </context-param> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <session-config> <session-timeout> 1 </session-timeout> </session-config> <welcome-file-list> <welcome-file>redirect.jsp</welcome-file> </welcome-file-list>  <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app> </code></pre> applicationContext-security.xml <pre><code><?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">  <http use-expressions="true"> <intercept-url pattern="/ShowDocuments" access="permitAll"/> <intercept-url pattern="/AddDocForm" access="hasRole('ROLE_ADMIN')"/> <access-denied-handler error-page="/AccessDenied"/> <http-basic/> <session-management> <concurrency-control expired-url="/sessionExpired.html"/> </session-management> </http> <authentication-manager></authentication-manager> </beans:beans> </code></pre> As you can see the AddDocForm is only accessible for admin users. In order to test if all of this works I need some way to force the security context to have any user authenticated. This is the java code I've used: <pre><code>public boolean loginUser() { boolean success = true; List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER"); UserDetails userDetails = new User(usuario.getLogin(), "undefined", authorities); Authentication authentication = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(), userDetails.getAuthorities()); SecurityContextHolder.getContext().setAuthentication(authentication); return success; }//END_METHOD </code></pre> This method will authenticate one user with authority ROLE_USER. Therefore, access to AddDocForm shouldn't be allowed. This is the procedure I follow: <ol> <li>I load the main page as if it was loaded from another site.</li> <li>The controller that handles this performs a ROLE_USER authentication before loading the main page.</li> <li>From there I try to access AddDocForm and.... yes, the AccessDenied page is shown.</li> </ol> However, whenever the user's session expires (or at least that's what I think is happening) my Firefox browser araises a credentials pop up window like this: <img src="https://i.stack.imgur.com/vSiti.png" alt="credetentials pop-up window"> As I didn't want this to happen I added the <code><session-management> <concurrency-control expired-url="/sessionExpired.html"/></session-management></code> line of code to avoid it, but keeps happening. Does anybody have a clue on this?
Tags
<java><spring-mvc><spring-security>
Title
Spring Security and logging in from another site without reentering credentials
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USHauri
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. This table or related slice is empty.
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.