An example of a multi-module web app with single-sign-on using spring-security-oauth based on this article series published by Dave Syer.
The project is organized as a multi-module Java Maven project:
- An oauth-server module cloned from this repository: https://github.com/dsyer/spring-security-angular/tree/master/oauth2/authserver. This server runs in port 9999.
- Two oauth-client modules, two twin webapps that can be accessed at http://localhost:9991/client1 and http://localhost:9992/client2.
Also, a Redis server is needed to store sessions. Spring Session is used to connect to Redis to persist sessions.
Both client webapps have a public /index.html
and a secure /private.html
pages. In order to access the private zone, the user must login, which is done via the oAuth server running at port 9999.
The goal is to allow the user login into one of the client web apps and be automatically logged into the other. This would allow to divide a traditional web application into modules that share the user login.
Follow these steps to try it right from the source code:
- Clone this repo or download the zip file and Import into Eclipse as an Existing Maven Project. Note that 3 projects will be imported: the oAuth server and the 2 client web apps.
- Download Redis database, unzip it,
cd
into Redis directory and runmake
to compile it. - Run
src/redis-server
to start Redis in port6379
. - Launch oAuth server project from Eclipse by right-clicking on
AuthserverApplication
class ->Run As..
->Java Application
. - Set a breakpoint in method
createSessionCookie()
in classorg.springframework.session.web.http.CookieHttpSessionStrategy
, right after theTODO
comment (more on this later.):
sessionCookie.setPath(cookiePath(request));
// TODO set domain?
if(sessionIds.isEmpty()) {
- Launch both client projects the same way, but pick
Debug As..
this time. - Go to http://localhost:9991/client1. The execution will stop at the breakpoint. Open Eclipse's
Display View
and execute this line of code:sessionCookie.setPath("/")
every time it stops there, then continue the execution withF8
. - Follow the
Login
link and authenticate withuser:password
. - Now click follow the
Private
link. You're in! - Go to http://localhost:9992/client2 and repeat step 7.
- As you've already logged in client1 web app, you can go directly to client2's
Private
page!
So, why the breakpoint stuff??. In short, to store a domain-wide SESSION
Cookie in the browser with the same Path
for both client webapps. Otherwise, Spring Session creates a Cookie
with different Path
s for each webapp, thus preventing Single-Sign-On. Disable the breakpoint and restart the web applications to see what happens.
There's already an issue in Spring Session project to configure CookieHttpSessionStrategy
in order to set a custom Path
. Let's hope it makes it into Spring Session 1.0.1 release.