share token between applications

13 views
Skip to first unread message

Jorge Aguilera

unread,
Apr 13, 2015, 8:07:13 AM4/13/15
to spring-sec...@googlegroups.com
HI guys
I don't if I'm missing some piece or maybe I'm completely wrong.
I have a database with users, password and roles and I have also 5 differents grails applications serving REST resources (products, sales, ...) and I want to use security annotations to control the access to every resource.

I want to have one unique "login" point where validate the user and take their roles and I want to use them into the rest of the applications.
I'm thinking about to build my own OAuth server but it seems that the new direction of the plugin is to prefer JWS. So, it's possible to have one grails application to validate users and share the token with the rest o the applications  ?

thanks in advance

Alvaro Sanchez-Mariscal

unread,
Apr 13, 2015, 8:16:27 AM4/13/15
to Jorge Aguilera, spring-sec...@googlegroups.com
You can have a single application (microservice) issuing tokens. The other applications would receive them and will have to validate it against that auth service's /api/validate endpoint.

The trick is to define a filter in those applications that, on every request, reads the token from the request and validates it. If valid, it creates an Authentication object and put it in the Spring's SecurityContext, so that @Secured annotations, springSecurityService and so on will work smoothly.

Hope this helps.

--
Spring Security REST
http://alvarosanchez.github.io/grails-spring-security-rest/
---
You received this message because you are subscribed to the Google Groups "Spring Security REST" group.
To unsubscribe from this group and stop receiving emails from it, send an email to spring-security-...@googlegroups.com.
To post to this group, send email to spring-sec...@googlegroups.com.
Visit this group at http://groups.google.com/group/spring-security-rest.
To view this discussion on the web, visit https://groups.google.com/d/msgid/spring-security-rest/390d411a-3ef6-41f4-8dfa-1957383bbb81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Alvaro Sanchez-Mariscal
alvaro.sanc...@gmail.com
twitter.com/alvaro_sanchez

Jorge Aguilera

unread,
Apr 13, 2015, 9:01:27 AM4/13/15
to spring-sec...@googlegroups.com
Great.!!    I missed api/validate endpoint

As you suggest I'll try to dev the filter as a new plugin and maybe it could be useful to someone.

thanks



El lunes, 13 de abril de 2015, 14:16:27 (UTC+2), Álvaro Sánchez-Mariscal escribió:
You can have a single application (microservice) issuing tokens. The other applications would receive them and will have to validate it against that auth service's /api/validate endpoint.

The trick is to define a filter in those applications that, on every request, reads the token from the request and validates it. If valid, it creates an Authentication object and put it in the Spring's SecurityContext, so that @Secured annotations, springSecurityService and so on will work smoothly.

Hope this helps.
Reply all
Reply to author
Forward
0 new messages