Background information:
Our production environment is comprised of two JBoss 4.0.4.GA servers
running in a cluster. In the embedded Tomcat in JBoss, the
org.apache.catalina.authenticator.SingleSignOn valve has been disabled and
the org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn valve has been
enabled.
We currently have multiple applications deployed to this cluster using
standard J2EE declarative security via the web.xml file. SSO works for all
applications currently deployed. If a user authenticates in one
application, then they are not required to authenticate in subsequent
applications as long as they have an active session.
Current Project.
We are deploying our first Grails v1.0.3 application to the above mentioned
cluster and have the JSecurity plugin version 0.3-SNAPSHOT installed.
Authentication and authorization are handled by the JSecurity plugin in this
Grails app.
Question:
If a user accesses one of the other applications on the cluster,
authenticates, has an active javax.servlet.http.HttpSession and the
java.security.Principal contains the user's username, how do I configure
JSecurity to use that information so the user won't be forced to
authenticate again by JSecurity in the Grails app?
I am not really sure where I should put this logic for checking if a user
has already been authenticated by another application or how to get
JSecurity to use it and basically do pass-through authentication. I was
thinking in grails-app/conf/SecurityFilters.groovy.
Testing:
In my SecurityFilters.groovy I have a filter definition that applies to all
controllers.
auth(controller: "*", action: "*") {
before = {
...
In the above filter definition the following returns valid values when a
user authenticates in another application prior to accessing the Grails app.
Example:
request.getUserPrincipal() returns "myTestUserName"
session.getId() returns "9WjpPJQRMcNlYV1Sym5SJA**.phhlt341"
Any direction on how to proceed would be appreciated.
Thank you,
Thomas
