Login to webapp2 from webapp1 using JAAS

11
votes

I have two java webapps who run on the same jboss server but in a different domain:

All content from both websites is secured by using a JAAS loginmodule. I would now like to create a button inside app1 to go to a page on app2. As predicted, I'm presented by the loginscreen from app2. I can succesfully login.

However, users on both webapps are actually the same. that means that username/passwords that are valid for app1 are also valid on app2. I would like to program something to bypass the redundant security check. If app 1 wants to access a page from app2, I would like to somehow pass along the j_username and the j_password to app2 sothat app2 can immediately perform the security check. It's not a problem if I have to create additional controller or jsp and use a redirect in this process. How can I directly pass a j_username and j_password so that the loginscreen is no longer shown, but the security check is still performed?

2
javajaas
How can you have different port1 & port2 for same jboss? Is it one Jboss instance and port1==port2 ? - sibnick
It's one server (machine), with a jboss domain setup. So there are multiple instances / server groups. The second group has a port offset. - user1884155

2 Answers

4
votes

What do you need is to implement Single sign-on (SSO) using JAAS. Here you can find a tutorial that is using LDAP as login modules, but you will get the idea.

Since you already have the JAAS part already configured, you will only need to focus on the SSO part described starting with page 3. Basically, the idea is to configure one of the modules to share the state using useSharedState=true with the other application.

In your LoginModule you will use something like:

public boolean login() throws LoginException{
  // ...
  String username = null;
  String password = null;
  // check if useSharedState is true, if it is true, use the 
  // username/password from shared state.
  if ("true".equalsIgnoreCase(option_.get("useShardState"))) {
    username = (String)sharedStateMap_.get("javax.security.auth.login.name");
    password = (String)sharedStateMap_.get("javax.security.auth.login.password");
  } else {
    // get the username and password from the CallbackHandler
    Callback [] callbacks = {new NamePasswordCallback()};
    handler_.handle(callbacks);
    username = callback.getUserId();                
    password = callback.getPassword();
    //save the username and password into the shared state
    sharedStateMap.put("javax.security.auth.login.name",username);
    sharedStateMap.put("javax.security.auth.login.password",password);
  }
  // ... communicates with data store to authenticate this user     
}

Since in your other question, you mentioned that you are using JBoss, since JBoss version 5.0, you can use:

<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"></Valve>

This will handle the SSO automatically for you, if you are using the WebAuthentication class.

2
votes

JAAS login works for security domain, not for webapp. So you should just put both application into one security domain. It is login-config section in web.xml:

   <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>ApplicationRealm</realm-name>
       <form-login-config> ...............</form-login-config>
   </login-config>

It should be enough for single sign-on inside one J2EE container.

It is directly specified in Java EE spec:

EE.3.3.8.2 Web Single Signon

......Require re-authentication of users only when a security policy domain boundary has been crossed............

EDIT

After some discovery I found that SSO is disabled by default in Wildfly. For enabling SSO in Wildfly:

  1. Modify standalone.xml and add <single-sign-on path="/"/> inside <host> tag

  2. Add jboss-web.xml (sso - your security domain)

       <jboss-web>
        <security-domain>sso</security-domain>
           <valve>
              <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
           </valve>
   </jboss-web>

After this Wildfly will use special cookie JSESSIONIDSSO for SSO