Implementing ‘poor man’s SSO’

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Implementing ‘poor man’s SSO’

imsammyd
Good day. I have a scenario where we have multiple web applications running
on the same server and we would like one login to serve all applications.
Currently, if you switch applications, you need to be re-authenticated. Try
as I may, I can not get this resolved.

I went through the session management page to try and implement what they
call Poor Man's SSO (https://shiro.apache.org/session-management.html)

*Here is my shiro.ini:*
[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldap://1.2.3.4:389
contextFactory.systemUsername = [hidden email]
contextFactory.systemPassword = Password

realm = com.me.shared.security.shiro.meADRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = OU=ME,DC=testdomain,DC=local

securityManager.realms = $realm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
sessionIdCookie.name=sid
sessionIdCookie.maxAge=1800
sessionIdCookie.httpOnly=true
sessionManager.sessionIdCookie=$sessionIdCookie
sessionManager.sessionIdCookieEnabled=true
securityManager.sessionManager = $sessionManager

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 3600000

securityManager.sessionManager.sessionValidationScheduler =
$sessionValidationScheduler

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager

*URL mapping is done in a custom java IniWebEnvironment and looks like this
*/faces/common/LWCLogin.xhtml = authc
/faces/common/unauthorized.xhtml = anon
/faces/secured/** = authc
/faces/myAdmin/** = roles[administrator]
/faces/myManagement/** = roles[administrator]
/faces/people/** = roles[administrator]

*I have a custom JSF bean where I perform login like this:
*Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(getUserName(),
getPassword());
subject.login(token);

I am open to doing SSO in a different fashion, but this is an internal
application and doesn't need much. Any ideas?





--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Implementing ‘poor man’s SSO’

Brian Demers
Hey!

You need to make sure that your applications are using the same SessionDao and your cookie would need to be set to the domain that is common through your applications.

I haven't tried it personally yet, but 'buji-pac4j' (uses Shiro) and supports OIDC and SAML. You might want to take a look at that too.

-Brian

On Thu, Mar 8, 2018 at 9:07 AM, imsammyd <[hidden email]> wrote:
Good day. I have a scenario where we have multiple web applications running
on the same server and we would like one login to serve all applications.
Currently, if you switch applications, you need to be re-authenticated. Try
as I may, I can not get this resolved.

I went through the session management page to try and implement what they
call Poor Man's SSO (https://shiro.apache.org/session-management.html)

*Here is my shiro.ini:*
[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldap://1.2.3.4:389
contextFactory.systemUsername = [hidden email]
contextFactory.systemPassword = Password

realm = com.me.shared.security.shiro.meADRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = OU=ME,DC=testdomain,DC=local

securityManager.realms = $realm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
sessionIdCookie.name=sid
sessionIdCookie.maxAge=1800
sessionIdCookie.httpOnly=true
sessionManager.sessionIdCookie=$sessionIdCookie
sessionManager.sessionIdCookieEnabled=true
securityManager.sessionManager = $sessionManager

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 3600000

securityManager.sessionManager.sessionValidationScheduler =
$sessionValidationScheduler

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager

*URL mapping is done in a custom java IniWebEnvironment and looks like this
*/faces/common/LWCLogin.xhtml = authc
/faces/common/unauthorized.xhtml = anon
/faces/secured/** = authc
/faces/myAdmin/** = roles[administrator]
/faces/myManagement/** = roles[administrator]
/faces/people/** = roles[administrator]

*I have a custom JSF bean where I perform login like this:
*Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(getUserName(),
getPassword());
subject.login(token);

I am open to doing SSO in a different fashion, but this is an internal
application and doesn't need much. Any ideas?





--
Sent from: http://shiro-user.582556.n2.nabble.com/

Reply | Threaded
Open this post in threaded view
|

Re: Implementing ‘poor man’s SSO’

imsammyd
Thanks for your answer.  Everyone is using the same DAO and I added
securityManager.sessionManager.sessionIdCookie.domain = my.com to no avail.
Still no SSO.




--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Implementing ‘poor man’s SSO’

Brian Demers
Are you seeing cache hits/misses when looking up your sessions?

On Fri, Mar 9, 2018 at 9:53 AM, imsammyd <[hidden email]> wrote:
Thanks for your answer.  Everyone is using the same DAO and I added
securityManager.sessionManager.sessionIdCookie.domain = my.com to no avail.
Still no SSO.

Reply | Threaded
Open this post in threaded view
|

Re: Implementing ‘poor man’s SSO’

imsammyd
I spent some time trying to make sure that there were no cache errors, I
don't see anything about cache misses. I still need to re-authenticate when
I hit a new application.  Is there something additional that needs to happen
with my JSF login bean? Do I need to look sessions up or anything?



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Implementing ‘poor man’s SSO’

Brian Demers
I was just playing around with a similar flow.  I wanted to force the `login()` call from outside of the typical Filter example.

The key thing to make sure you have setup is that the Shiro filter is executed first.  This binds the subject (anonymous or otherwise) to the session.

Instead of a `doc` file can you post a sample app on Github?

On Thu, Mar 15, 2018 at 10:06 AM, imsammyd <[hidden email]> wrote:
I spent some time trying to make sure that there were no cache errors, I
don't see anything about cache misses. I still need to re-authenticate when
I hit a new application.  Is there something additional that needs to happen
with my JSF login bean? Do I need to look sessions up or anything?

Reply | Threaded
Open this post in threaded view
|

Re: Implementing ‘poor man’s SSO’

Brian Demers
Sorry, 

I mixed up your question with a different thread (i should have read the scroll back)

---

Are you sure your applications are accessing the same cache store? Are you seeing the session id change when you switch between applications (and forcing you to log in again any time you toggle between them?)




On Thu, Mar 15, 2018 at 11:45 AM, Brian Demers <[hidden email]> wrote:
I was just playing around with a similar flow.  I wanted to force the `login()` call from outside of the typical Filter example.

The key thing to make sure you have setup is that the Shiro filter is executed first.  This binds the subject (anonymous or otherwise) to the session.

Instead of a `doc` file can you post a sample app on Github?

On Thu, Mar 15, 2018 at 10:06 AM, imsammyd <[hidden email]> wrote:
I spent some time trying to make sure that there were no cache errors, I
don't see anything about cache misses. I still need to re-authenticate when
I hit a new application.  Is there something additional that needs to happen
with my JSF login bean? Do I need to look sessions up or anything?


Reply | Threaded
Open this post in threaded view
|

Re: Implementing ‘poor man’s SSO’

Sashika
The simplest way to do this is with CAS using the Shiro adapter. Please read the below link 

On Thu, Mar 15, 2018 at 9:26 PM, Brian Demers <[hidden email]> wrote:
Sorry, 

I mixed up your question with a different thread (i should have read the scroll back)

---

Are you sure your applications are accessing the same cache store? Are you seeing the session id change when you switch between applications (and forcing you to log in again any time you toggle between them?)




On Thu, Mar 15, 2018 at 11:45 AM, Brian Demers <[hidden email]> wrote:
I was just playing around with a similar flow.  I wanted to force the `login()` call from outside of the typical Filter example.

The key thing to make sure you have setup is that the Shiro filter is executed first.  This binds the subject (anonymous or otherwise) to the session.

Instead of a `doc` file can you post a sample app on Github?

On Thu, Mar 15, 2018 at 10:06 AM, imsammyd <[hidden email]> wrote:
I spent some time trying to make sure that there were no cache errors, I
don't see anything about cache misses. I still need to re-authenticate when
I hit a new application.  Is there something additional that needs to happen
with my JSF login bean? Do I need to look sessions up or anything?