Two grails app both using springSecurity, login once to access both - grails

I have an old grails application (ex. one-app) that has springSecurity for logins. I created a new grails app (two-app) that uses multiple databases (the DB from one-app and a new one). I am deploying both using tomcat
ip.addr.10.10/one-app
ip.addr.10.10/two-app
My question is: I want to have access to both applications by logging in only once. Basically if the user logs in on either application, he would also have access to the other application without logging in again.
Is this possible? Thanks.

Yes, it is possible. You need to use SSO. Currently I use JOSSO for my grails applications (http://www.josso.org) combined with Spring Security.

You can configure RememberMe with exactly same configuration for both apps. After user login into any of application, Spring Security will setup special cookie, that can be reused from other app (mean athorized in another app as well).
See docs for Remember Me - http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/9%20Authentication.html#9.3%20Remember-Me%20Cookie

A 3rd option would be to use the same OpenID provider for both applications.

One other approach would be drop Cookies which can be read by both the applications.

Related

Is it possible in Spring Security to use form login if CAS is not available?

everybody!
In my project I use SSO with CAS. But what if the CAS-server is down?
I want a user to be able to login with a simple login/password form when CAS is not available.
Is it possible to configure Spring Security that way?
What should I do to achieve this?
Having said that you use SSO and wanting to use Spring Security as a backup when CAS is down, I am trying to understand how the SSO part will work with spring security. You can certainly implement your own version of single sign on with spring security using oauth2 services or your own implementation. If you did implement something like that, it brings up a question of redundant SSO services, managing them and maintaining them.
CAS, to my understanding, is primarily used for SSO purpose and has its own set of configuration. I am sure, you would have cassified your application for this purpose as well.
Is CAS server being down is an issue, I would suggest setting up a backup or standby for CAS server or building your own single sign on solution. I am trying to say that it is "either or" is more recommended than "having both"

How to turn a Rails app with Devise into a SSO/CAS server?

I realized from a previous question that I had been asking the wrong question...I would like to turn my application into a CAS server so that admins of the application may use this same authentication mechanism to log into other applications that we develop for the organization.
Have you done this before? Is there a plugin which adds the ability to Devise to be able to act as a CAS server? What do I need to change/add in order to turn the app into a CAS server?
Check this similar question, that explains rails 4 issues with devise_cas_authenticatable gem.
For the Server, you may use CASino for the server, it looks very clean. Check its installation guide.
OR
An Alternative solution, if both apps are on the same domain and they share the same database, you can simply modify the session cookie to be universal for all subdomains on your specified domain.

Problems while implementing SSO with Spring Security CAS extension

I'm trying to use Spring Security CAS extension to authenticate users on my applications. Earlier there was only one application, so SSO was not needed. Now there is one more application and I want the user to log in once and use all the applications without having to go through authentication again (SSO, basically). I've a bunch of questions like these -
All the applications I have are part of a single tomcat container and will be served via same domain. I checked Tomcat SSO Valve, but it seems to need container based authentication, I'm not really sure if I would want to use that for authentication / authorization. I'm using spring security form-based login. Do I really need something like Jasig CAS or will it be an overkill?
Spring Security and CAS deployerContext Configuration - http://pastie.org/8408976 and http://pastie.org/8408967
I set up Spring Security CAS with Jasig server and SSO seems to work as logging in to any of the applications suffices to access the other application. I've modified the deployerConfigContext.xml to replace the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I always see the below line in my logs. Though the tables have been created (SERVICETICKET and so on) in my db. These tables are always empty when I try logging in and out.
2013-10-17 16:41:18,882 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 0 services.>
When I try to access URL https://localhost/cas/services, it returns an error "This website has a redirect loop". and I see the below piece repeating n number of times in the logs (with different ticket numbers)-
http://pastie.org/8408940
I don't have any REST or stateless services accessing authenticated resources, do I need proxy tickets at all?
Note: I'm using Spring Security 3.1.4.RELEASE and CAS server 3.5.2 version.
Any pointers will be helpful.
I set up Spring Security CAS with Jasig server and SSO seems to work
as logging in to any of the applications suffices to access the other
application. I've modified the deployerConfigContext.xml to replace
the inMemoryServiceRegistryDaoImpl with JPA / Hibernate one. But I
always see the below line in my logs. Though the tables have been
created (SERVICETICKET and so on) in my db. These tables are always
empty when I try logging in and out.
When I try to access URL `https://localhost/cas/services`, it returns an error "This website has a redirect loop". and I see the
below piece repeating n number of times in the logs (with different
ticket numbers)
I figured out the solution to this. This was happening as filterProcessesUrl in CAS server configuration had the string "acegi" (old name for Spring Security), which didn't match to "spring", hence the problem. Modifying that helped. Not sure why old name was hardcoded there. Also, it didn't pick up this string from cas.properties, so figuring it out was a little more difficult.
I hope to get answers for other questions.

Sharing session (or cookie) using Grails acegi plugin

Is it possible for two different Grails project, also having different domains, to share a session/cookie?
Let's say I have 2 sites: www.mycompany.com, and, www.othercompany.com. Assume that both sites are having same domains, and same database and records too. What I want to know is if this code:
authenticateService.userDomain()
or even the
authenticateService.isLoggedIn()
will behave and return exactly the same object/result whether it is called in either of the site.
Basically, what we need is a solution for sharing/identifying logged in user between two different sites. Need more details on how to implement this using acegi 0.5.2 and grails 1.2.1.
Hoping for any leads on this. Thank you.
Regarding cross-domain authentication the only thing that comes into my mind is using a single-sign-on service. There are a few open-source SSO implementations available, among them:
CAS
OpenSSO
Josso
Tomcat also has a SingleSingOn valve
This list is by far not complete. Speaking of CAS it definitly works with Grails and Acegi.

Single Account for Multiple Application login in Rails

I'm building some applications using rails.
All apps using restful auth plugin for User base and declarative authorization plugin for authorization rules.
But I need to merge all site's User accounts to one User base for providing login for all sites.
I.e like 37signals working on. Here is their work ;
http://37signals.com/accounts
How can I archieve this, any suggestions are welcome.
Thanks
A.Karr
From studying how 37signals was doing stuff - I think they're using RubyCAS http://github.com/gunark/rubycas-server
It's perfect for single sign-on, single sign-off and other related stuff - when you have multiple independent applications. Also, because CAS is a generic protocol, it exists for non-ruby/rails applications too. SO you can integrate legacy systems or client applications in Java etc.
I started building a set of how-tos on the subject here:
http://rubyglasses.blogspot.com/2009/12/rails-single-sign-on-with-rubycas.html
Have you thought about using open id?
If all your apps run on the same domain you shouldn't have any problems accessing the authentication cookie in all the apps, but you'll need to store the authentication state somewhere where all the applications can access it.

Resources