Spring security, AJAX and SiteMinder

Question

I am implementing Spring Security login and I am trying to understand something, here is the scenario I want to implement:

1. For initial login show login page and let user in.
2. If after some inactivity session expired and user makes some action show him popup window to authenticate (js-based popup in browser). Continue with the action like there was no login form.

Implementing form is easy, but how do I make the popup work - let's say I make the request to some protected URL after session expired, how do I make sure it's not forwarded to login page, but to my login handler that shows popup window?

Another issue - I need to integrate with SiteMinder, so I would need to read the Login/Password combination and after it's read, forward to SiteMinder for authentication, after that's done I want to return without forwarding.

Answer 1

Answer to SiteMinder issue: Siteminder is generally installed on a Webserver behind your servlet container. Also, Siteminder manages the authentication and an application does not have access to a user password at all. To integrate with Siteminder use this filter: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e6295.

Answer to the login with the popup issue: since you need to integrate with Siteminder, I would not recommend to implement the login via the popup.

Answer 2

The sample given on the above springsource website is quite primitive and can break in several use cases. Using the SM_USER header alone has several caveats, see my answer here: How to validate SM_USER header in Spring Security preauthentication for siteminder

CA SSO aka SiteMinder, as well as other traditional html-form-request-response SSO systems, have a hard time dealing with Single Page Applications and protecting the web services that you invoke via AJAX, without breaking the flow of your application.