Implementing ‘poor man’s SSO’

[imsammyd <st...@gmail.com>]

Good day. I have a scenario where we have multiple web applications running
on the same server and we would like one login to serve all applications. 
Currently, if you switch applications, you need to be re-authenticated. Try
as I may, I can not get this resolved. 

I went through the session management page to try and implement what they
call Poor Man's SSO (https://shiro.apache.org/session-management.html)

*Here is my shiro.ini:*
[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldap://1.2.3.4:389
contextFactory.systemUsername = me@testdomain.local
contextFactory.systemPassword = Password

realm = com.me.shared.security.shiro.meADRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = OU=ME,DC=testdomain,DC=local

securityManager.realms = $realm

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
sessionIdCookie.name=sid
sessionIdCookie.maxAge=1800
sessionIdCookie.httpOnly=true
sessionManager.sessionIdCookie=$sessionIdCookie
sessionManager.sessionIdCookieEnabled=true
securityManager.sessionManager = $sessionManager

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 3600000

securityManager.sessionManager.sessionValidationScheduler =
$sessionValidationScheduler

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager

*URL mapping is done in a custom java IniWebEnvironment and looks like this
*/faces/common/LWCLogin.xhtml = authc
/faces/common/unauthorized.xhtml = anon
/faces/secured/** = authc
/faces/myAdmin/** = roles[administrator]
/faces/myManagement/** = roles[administrator]
/faces/people/** = roles[administrator]

*I have a custom JSF bean where I perform login like this:
*Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(getUserName(),
getPassword());
subject.login(token);

I am open to doing SSO in a different fashion, but this is an internal
application and doesn't need much. Any ideas?





--
Sent from: http://shiro-user.582556.n2.nabble.com/

Re: Implementing ‘poor man’s SSO’

[Sashika <sa...@gmail.com>]

The simplest way to do this is with CAS using the Shiro adapter. Please
read the below link

   - https://github.com/apereo/cas
   - https://shiro.apache.org/cas.html


On Thu, Mar 15, 2018 at 9:26 PM, Brian Demers <br...@gmail.com>
wrote:

> Sorry,
>
> I mixed up your question with a different thread (i should have read the
> scroll back)
>
> ---
>
> Are you sure your applications are accessing the same cache store? Are you
> seeing the session id change when you switch between applications (and
> forcing you to log in again any time you toggle between them?)
>
>
>
>
> On Thu, Mar 15, 2018 at 11:45 AM, Brian Demers <br...@gmail.com>
> wrote:
>
>> I was just playing around with a similar flow.  I wanted to force the
>> `login()` call from outside of the typical Filter example.
>>
>> The key thing to make sure you have setup is that the Shiro filter is
>> executed first.  This binds the subject (anonymous or otherwise) to the
>> session.
>>
>> Instead of a `doc` file can you post a sample app on Github?
>>
>> On Thu, Mar 15, 2018 at 10:06 AM, imsammyd <st...@gmail.com> wrote:
>>
>>> I spent some time trying to make sure that there were no cache errors, I
>>> don't see anything about cache misses. I still need to re-authenticate
>>> when
>>> I hit a new application.  Is there something additional that needs to
>>> happen
>>> with my JSF login bean? Do I need to look sessions up or anything?
>>>
>>>
>>>
>>> --
>>> Sent from: http://shiro-user.582556.n2.nabble.com/
>>>
>>
>>
>

Re: Implementing ‘poor man’s SSO’

[Brian Demers <br...@gmail.com>]

Sorry,

I mixed up your question with a different thread (i should have read the
scroll back)

---

Are you sure your applications are accessing the same cache store? Are you
seeing the session id change when you switch between applications (and
forcing you to log in again any time you toggle between them?)




On Thu, Mar 15, 2018 at 11:45 AM, Brian Demers <br...@gmail.com>
wrote:

> I was just playing around with a similar flow.  I wanted to force the
> `login()` call from outside of the typical Filter example.
>
> The key thing to make sure you have setup is that the Shiro filter is
> executed first.  This binds the subject (anonymous or otherwise) to the
> session.
>
> Instead of a `doc` file can you post a sample app on Github?
>
> On Thu, Mar 15, 2018 at 10:06 AM, imsammyd <st...@gmail.com> wrote:
>
>> I spent some time trying to make sure that there were no cache errors, I
>> don't see anything about cache misses. I still need to re-authenticate
>> when
>> I hit a new application.  Is there something additional that needs to
>> happen
>> with my JSF login bean? Do I need to look sessions up or anything?
>>
>>
>>
>> --
>> Sent from: http://shiro-user.582556.n2.nabble.com/
>>
>
>

Re: Implementing ‘poor man’s SSO’

[Brian Demers <br...@gmail.com>]

I was just playing around with a similar flow.  I wanted to force the
`login()` call from outside of the typical Filter example.

The key thing to make sure you have setup is that the Shiro filter is
executed first.  This binds the subject (anonymous or otherwise) to the
session.

Instead of a `doc` file can you post a sample app on Github?

On Thu, Mar 15, 2018 at 10:06 AM, imsammyd <st...@gmail.com> wrote:

> I spent some time trying to make sure that there were no cache errors, I
> don't see anything about cache misses. I still need to re-authenticate when
> I hit a new application.  Is there something additional that needs to
> happen
> with my JSF login bean? Do I need to look sessions up or anything?
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Implementing ‘poor man’s SSO’

[imsammyd <st...@gmail.com>]

I spent some time trying to make sure that there were no cache errors, I
don't see anything about cache misses. I still need to re-authenticate when
I hit a new application.  Is there something additional that needs to happen
with my JSF login bean? Do I need to look sessions up or anything?



--
Sent from: http://shiro-user.582556.n2.nabble.com/

Re: Implementing ‘poor man’s SSO’

[Brian Demers <br...@gmail.com>]

Are you seeing cache hits/misses when looking up your sessions?

On Fri, Mar 9, 2018 at 9:53 AM, imsammyd <st...@gmail.com> wrote:

> Thanks for your answer.  Everyone is using the same DAO and I added
> securityManager.sessionManager.sessionIdCookie.domain = my.com to no
> avail.
> Still no SSO.
>
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>

Re: Implementing ‘poor man’s SSO’

[imsammyd <st...@gmail.com>]

Thanks for your answer.  Everyone is using the same DAO and I added
securityManager.sessionManager.sessionIdCookie.domain = my.com to no avail.
Still no SSO.




--
Sent from: http://shiro-user.582556.n2.nabble.com/

Re: Implementing ‘poor man’s SSO’

[Brian Demers <br...@gmail.com>]

Hey!

You need to make sure that your applications are using the same SessionDao
and your cookie would need to be set to the domain that is common through
your applications.

I haven't tried it personally yet, but 'buji-pac4j' (uses Shiro) and
supports OIDC and SAML. You might want to take a look at that too.

-Brian

On Thu, Mar 8, 2018 at 9:07 AM, imsammyd <st...@gmail.com> wrote:

> Good day. I have a scenario where we have multiple web applications running
> on the same server and we would like one login to serve all applications.
> Currently, if you switch applications, you need to be re-authenticated. Try
> as I may, I can not get this resolved.
>
> I went through the session management page to try and implement what they
> call Poor Man's SSO (https://shiro.apache.org/session-management.html)
>
> *Here is my shiro.ini:*
> [main]
> contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
> contextFactory.url = ldap://1.2.3.4:389
> contextFactory.systemUsername = me@testdomain.local
> contextFactory.systemPassword = Password
>
> realm = com.me.shared.security.shiro.meADRealm
> realm.ldapContextFactory = $contextFactory
> realm.searchBase = OU=ME,DC=testdomain,DC=local
>
> securityManager.realms = $realm
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
> sessionIdCookie.name=sid
> sessionIdCookie.maxAge=1800
> sessionIdCookie.httpOnly=true
> sessionManager.sessionIdCookie=$sessionIdCookie
> sessionManager.sessionIdCookieEnabled=true
> securityManager.sessionManager = $sessionManager
>
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
> sessionValidationScheduler =
> org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
> sessionValidationScheduler.interval = 3600000
>
> securityManager.sessionManager.sessionValidationScheduler =
> $sessionValidationScheduler
>
> cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
> securityManager.cacheManager = $cacheManager
>
> *URL mapping is done in a custom java IniWebEnvironment and looks like this
> */faces/common/LWCLogin.xhtml = authc
> /faces/common/unauthorized.xhtml = anon
> /faces/secured/** = authc
> /faces/myAdmin/** = roles[administrator]
> /faces/myManagement/** = roles[administrator]
> /faces/people/** = roles[administrator]
>
> *I have a custom JSF bean where I perform login like this:
> *Subject subject = SecurityUtils.getSubject();
> UsernamePasswordToken token = new UsernamePasswordToken(getUserName(),
> getPassword());
> subject.login(token);
>
> I am open to doing SSO in a different fashion, but this is an internal
> application and doesn't need much. Any ideas?
>
>
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
>