I have to design a DMS (document management system) and I decided to use Spring as base framework for the Platform I'm going to build. I'm designing a Platform that is comprised of 2 main application: engine app and portal app. Both are web applications based on Spring MVC; the engine is basically a set of rest services and the portal is the main frontend of the application. As the engine app is a set of services I plan to expose those services to others.
The engine should be able to connect to other DMS like Alfresco or IBM FileNET P8.
The engine has to be secured of course and I decided to use Spring Security to have the flexibility to choose how to secure the engine on each installation (i.e. saas usign Oauth, LDAP, custom DB, ...)
That said this is what I'm trying to achieve:
- Portal app has a Jaas provider with a custom login module
- Engine app has a Jaas provider with a custom login module (the same of portal)
Both application used standalone works as aspected but when I log into portal app and then call the engine, using a RestTemplate inside a Controller method, jaas credentials are not passed and the engine's method returns the login page instead of the json result.
I would like that if I log into the portal app the login will pass to the other app like a SSO.
I think that I'm missing something in the RestTemplate to pass the jaas subject from one app to the other, maybe some kind of header in the request.
Both app has the same spring security configuration:
<http auto-config="true" use-expressions="true" jaas-api-provision="true">
<intercept-url pattern="/api/**" access="hasRole('TESTROLE')" />
</http>
<authentication-manager>
<authentication-provider ref="jaasAuthProvider" />
</authentication-manager>
<beans:bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<beans:property name="configuration">
<beans:bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<beans:constructor-arg>
<beans:map>
<beans:entry key="SPRINGSECURITY">
<beans:array>
<beans:bean class="javax.security.auth.login.AppConfigurationEntry">
<beans:constructor-arg value="it.besolutions.aegis.testloginmodule.Login" />
<beans:constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</beans:constructor-arg>
<beans:constructor-arg>
<beans:map></beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:array>
</beans:entry>
</beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:property>
<beans:property name="authorityGranters">
<beans:list>
<beans:bean class="it.besolutions.aegis.testloginmodule.RoleGranter" />
</beans:list>
</beans:property>
</beans:bean>
While the RestTemplate call in the portal app controller looks like:
RestTemplate restClient = new RestTemplate();
ResponseEntity<DocumentCollection> result = restClient.getForEntity("http://localhost:8084/TestAegisRest/api/v1/documents", DocumentCollection.class);
For testing I'm using Tomcat.
Thanks in advance.
