java - Spring Security + Tomcat SSO

Answer 1

CAS Most SSOs now use CAS solutions. You can research it.

---

SSO flow chart
SSO uses cookie 来实现的。简单来说就是登录之后将认证信息存放在 cookie 中。当有app请求时可以先在自己的应用中校验是否登录。如果未登录将跳转至认证系统，此时认证系统检测cookieinformation. If there is login information, jump back to the request system.

Answer 2

Thanks to @kevinz for his advice, here’s how I do it now:

Each APP uses Tomcat JDBCRealm for authentication (Authentication), but uses Spring Security for authorization. Both are based on the same user information database.

1. Open SSO in Tomcat -- this is very important, otherwise when accessing other webapps in the same domain, cookies will not be brought and authentication will not be possible

2. In each webapp, configure Web.xml to use Tomcat for authentication -- if Spring is used for authentication, Tomcat's SSO will not work

3. In each webapp, configure spring and use J2eePreAuthenticatedProcessingFilter for permission control (Authorization)

Configuration in spring.xml

    <bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <constructor-arg name="strength" value="11" />
    </bean>

       <bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>

    <security:http auto-config="false" use-expressions="true" entry-point-ref="forbiddenEntryPoint">
        <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter"/>
        <security:intercept-url pattern="/index/**" access="hasAnyRole('ROLE_SUPER')" />
        <security:session-management session-fixation-protection="none"/>
        <security:csrf disabled="true"/>
    </security:http>

 
    <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="throwExceptionWhenTokenRejected" value="true"/>
        <property name="preAuthenticatedUserDetailsService">
           <bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <property name="userDetailsService" ref="nosUserDetailsService" />
        </bean>
        </property>
    </bean>
    


    <bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>

    <bean id="webXmlMappableAttributesRetriever" class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever"/>
    
    <bean id="simpleAttributes2GrantedAuthoritiesMapper" class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
        <property name="attributePrefix" value=""/>
    </bean>

    <bean id="j2eeBasedPreAuthenticatedWebAuthenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
        <property name="mappableRolesRetriever" ref="webXmlMappableAttributesRetriever"/>
        <property name="userRoles2GrantedAuthoritiesMapper" ref="simpleAttributes2GrantedAuthoritiesMapper"/>
    </bean>
    
    <bean id="preAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationDetailsSource" ref="j2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"/>
    </bean>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="preauthAuthProvider"/>
    </security:authentication-manager>