0

I need help integrating a system for my company. We created a database that centralizes all the information in one authentication server.

For authentication we use an internal url like this:

http://autentication/ServletAutentication?login=XXXXXXXXXX&password=YYYYYYYYY

where XXXXXXXX is the YYYYYYYYY username and encrypted password in the MD5 algorithm. How to get a return XML:

<autentication>
            <login> XXXXXXXX </ login>
            <password> true </ password>
</autentication>

The need is for authentication. The permissions are controlled by SpringSecurity Core.

After authentication, it will be stored at the last access date just that.

Does anyone know how I can implement this in SpringSecurity Core plugin?

isilva
  • 373
  • 4
  • 15
  • 2
    Spring Security doesn't work this way...and it shouldn't, since passing the password (or it's MD5 hash) in the url like this (especially with http instead of https) is insecure. – GreyBeardedGeek Nov 22 '12 at 00:07
  • GreyBeardedGeek, thanks for replying! Even the URL being unsafe, the environment is controlled and does not require such security. The return of access to this URL is an XML with the authentication result in webservice. Do you see any way to implement this? – isilva Nov 22 '12 at 00:47
  • Can't understand: are you trying to implement a grails client for existing 'authentication server' or creating this server itself? – Igor Artamonov Nov 22 '12 at 02:29
  • Hi Igor Artamonov! Thanks for responding! I'm just trying to keep the User saving another password. This server is already protno and is used by other applications. In the language Grails am having difficulties to implement the commands. My initial thought is: when the User login, before authenticating the User in spring security core, invoke the url with login and password encrypted in MD5. (Continued ...) – isilva Nov 22 '12 at 11:37
  • If the server accepts the login is then pursued by the User authentication and password stored in the spring security core that also keep the password stored locally since they have not figured out how to proceed with authentication without maintaining this data locally. If the password is changed on the server authentication is automatically replicated to the application in Grails. (Continued ...) – isilva Nov 22 '12 at 11:37
  • My question is (1) I do not know the commands to invoke the URL (2) do not know the command to get the xml as the return URL (3) do not know the command to open the XML and check the field 'password'. The intent of this integration is just keeping a sync passwords between the authentication server and location. I know I could through the authentication server to replicate the password for the local server, but this is not the case. Gotta do the local application make a "pre-authentication" in this remote server. – isilva Nov 22 '12 at 11:38

1 Answers1

0

Given that you don't think that you need to actually be secure, you could of course, implement your own non-secure security scheme - just create a controller that looks the user name and password hash up in the database, and then returns the xml, adding a session cookie to the response to track the logged-in state.

On the other hand, trying to hack Spring Security to do exactly what it wasn't meant to do is probably not worth the effort.

GreyBeardedGeek
  • 29,460
  • 2
  • 47
  • 67
  • GreyBeardedGeek Hello, thanks for replying! What we really want is to do just that, create an action to do this authentication service on the remote server. The goal is to save the User password to decorate more. So when the same make and type the User Password in the application, this will invoke the url with the parameters necessary to verify the authentication server is returning the XML is correct with the answer and proceeding normally with authentication.(continued...) – isilva Nov 22 '12 at 11:49
  • The problem is I do not know how to invoke the url in Grail, nor how to treat the response received in XML. I think it would work so cool. You know implement these commands? Do you think this logic work? – isilva Nov 22 '12 at 11:49
  • No, I think that this is both a really bad idea and "reinventing the wheel". If sounds like you are trying to do Single Sign On. There are a number of pre-existing solutions for SSO, and you should probably just use one of them. – GreyBeardedGeek Nov 22 '12 at 13:23