Search code examples
javaphpspringspring-securitycas

How to authenticate two clients at once with JASIG SSO

Honestly not sure if the title is descriptive enough, so here goes the text:

Backstory

I am rebuilding a web application using the Spring framework. However, the old application runs on PHP.

There's a grace period where both of the applications will be running at once, so i'll be moving stuff over slowly to the java side and away from PHP.

Luckily for myself, most of the communication between back and frontend has been done trough jQuery and AJAX. I've already setup a host of rest endpoints to take care of reading, and saving was next on my list.

The problem

Now the problem arises that my Spring application needs to know if the user that is logged in is actually allowed to save data. A coworker proposed i used Jasig CAS SSO as an authentication, so that the php and java application will both use the same login.

However herein lies a problem as well. I have setup spring security to work with the SSO, and also PHP knows how to behave with it. However, the problem comes when i do an AJAX request to the Spring side. Spring security detects that i'm not logged in (possibly because there are no cookies being sent) and thus returns a 302 for me to go to the CAS login page.

I've managed to get everything running on the same (not outward facing) domain:

  • cas.domain.local
  • app.domain.local (PHP)
  • tools.domain.local (Java)

The requests are coming from app.domain.local to tools.domain.local

I've read a lot about Ticket granting cookies, ticket granting tickets, sending session information in my ajax request, but also of something called an authentication proxy.

The question

What would be my best method of telling the java side, trough an ajax request that i'm already authenticated with the cas SSO server?

Please ask if more information is required. This is my first stackoverflow question and i don't quite know how to word everything.

Solution

  • So eventually i realised that everything was working, including authentication on the AJAX side, but i had my configs all wrong.

    Apparently https://cas.local/cas is a different endpoint than https://cas.local/cas/. That caused the cookies not to be recognized in this particular case.

    Took me a few days to figure out though.