Problems with custom login implementation using Spring Security Core plugin

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Problems with custom login implementation using Spring Security Core plugin

Using Grails 2.5.0 with Spring Security Core plugin 2.0-RC4

I'm integrating our web application with a fairly unusual single sign on service. Signed authentication statements are provided to us as GET parameters, which we validate.

To do this, I've implemented a custom security filter, which constructs an authentication object, which is passed to the authentication manager, which has our custom authentication provider in the chain.

This works fine. Users are able to login and navigate as normal.

The problem occurs when the user navigates away from our domain, then back. The previous session doesn't appear to be recognized. It is not until the user is rejected, redirected to the (off site) login page to re-authenticate, and redirected back to us, that we are able to have a persistent authentication.

I gather this is something to do with sessions being "registered" with the spring security core system somewhere, but I cannot find how to do this in the documentation.

This likely has something to do with the fact that users are directed initially straight to the configured grails.plugin.springsecurity.apf.filterProcessesUrl, as first contact with our server. We need to do this because users are generally directed to us from a different domain and require immediate access.

So I can see a couple of possible approaches here but need some information of which is more practical:

1) Direct users to a url other than grails.plugin.springsecurity.apf.filterProcessesUrl initially to "register" the session with the security system, then somehow wrangle the auth parameters to our filter through another redirect, or
2) manually "register" the session from within our custom filter.

Any idea on the right direction here would be hugely apprecitated.