I am building a Spring-MVC-Hibernate back-end with dozens of RESTful web-services. The front-end will probably be an HTML5, CSS3, and JQuery web-app that utilizes back-end web-services I am developing.
We have an OpenAM 10.x SSO system on a Tomcat server, and we want to us that for authentication, no authorization rules are here or groups. All the documentation I have seen has been with an unknown version of OpenAM and Spring Security 3. We have OpenAM 10.x with no known time to upgrade to the latest OpenAM. We plan on using Spring Security 4.0.3, which is the latest at this time.
1) One way we can do this is to establish a Circle Of Trust, and then establish an IDP and a SP, and then we'll have a URL in order to do Federated SSO. I believe this is how our front-end will get authentication and get a token returned to the front-end and may be stored as a cookie.
2) Another way I have seen this done is to simply call the OpenAM restful api, pass in username and password and get a token. That token will then be used to pass into the back-end RESTful api's for security.
We will definitely be using Spring Security for Users, Roles, and Permissions (authorization), so can we do this? Use Spring Security 4.0.3 for users, roles, and permissions, but use OpenAM for authentication???
Any information would be very helpful. Thanks!