3

Good day. I have a scenario where we have multiple web applications running on the same server and we would like one login to serve all applications. Currently, if you switch applications, you need to be re-authenticated. Try as I may, I can not get this resolved.

I went through the session management page to try and implement what they call Poor Man's SSO (https://shiro.apache.org/session-management.html)

Here is my shiro.ini:

[main] 
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory 
contextFactory.url = ldap://1.2.3.4:389 
contextFactory.systemUsername = me@testdomain.local 
contextFactory.systemPassword = Password 

realm = com.me.shared.security.shiro.meADRealm 
realm.ldapContextFactory = $contextFactory 
realm.searchBase = OU=ME,DC=testdomain,DC=local 

securityManager.realms = $realm 

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie 
sessionIdCookie.name=sid 
sessionIdCookie.maxAge=1800 
sessionIdCookie.httpOnly=true 
sessionManager.sessionIdCookie=$sessionIdCookie 
sessionManager.sessionIdCookieEnabled=true 
securityManager.sessionManager = $sessionManager 

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO 
securityManager.sessionManager.sessionDAO = $sessionDAO 
sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler 
sessionValidationScheduler.interval = 3600000 

securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler 

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager 
securityManager.cacheManager = $cacheManager

URL mapping is done in a custom java IniWebEnvironment and looks like this 

/faces/common/Login.xhtml = authc 
/faces/common/unauthorized.xhtml = anon 
/faces/secured/** = authc 
/faces/myAdmin/** = roles[administrator] 
/faces/myManagement/** = roles[administrator] 
/faces/people/** = roles[administrator]

I have a custom JSF bean where I perform login like this: 

Subject subject = SecurityUtils.getSubject(); 
UsernamePasswordToken token = new UsernamePasswordToken(getUserName(), getPassword()); 
subject.login(token);

I am open to doing SSO in a different fashion, but this is an internal application and doesn't need much. Any ideas?

Kukeltje
  • 12,223
  • 4
  • 24
  • 47
Sam Donato
  • 471
  • 6
  • 12
  • Cross-posted to Shiro User list: https://mail-archives.apache.org/mod_mbox/shiro-user/201803.mbox/%3C1520518054635-0.post%40n2.nabble.com%3E – Brian Demers Mar 09 '18 at 18:34
  • Here is the only one helping again (and not even using shiro myself anymore) From what I read in the docs (yes, I've been reading for more than half an hour already to gain knowledge for YOU) and what I know of SSO in general (quite a lot), for "Poor man's SSO" in Shiro, you need the sessionIdCookie to work and for it to be shared across the different apps. Did you check if it is set in where you actually authenticate and if it is shared with the other environments? By default cookies are NOT. Read this thread http://grokbase.com/t/shiro/user/128ehn512n/sso-on-single-tomcat-container – Kukeltje Mar 21 '18 at 20:37
  • Oh and don't forget to check in any server if the sessionIdCookie is still valid by using it to get a Subject based on the sessionIdCookie value like in https://shiro.apache.org/session-management.html#SessionManagement-SessionsandSubjectState – Kukeltje Mar 21 '18 at 20:47
  • And I hope you actually see now I do know what I'm talking about (and I did understand your other question). You on the other hand seem to be missing the basic knowledge about sso. – Kukeltje Mar 21 '18 at 20:54

0 Answers0