SSO between Webapp and REST API using apache shiro

StackOverflow https://stackoverflow.com/questions/22485916

Question

I'm trying to set up a SSO between a webapp and a REST API, to do this I'm using Apache Shiro + Jasig CAS but now I'm having a problem related to the authentication of the REST API. I'm using CASRealm + CASFilter in the Webapp and trying to use the session created there to access the REST API, I've tried 2 approaches:

  1. propagating the CAS service ticket from the webapp to the REST API through the request header (does not work, it says the service ticket is invalid because it belongs to another app, maybe the TGT would work)

  2. store the username and password in the webapp and use them in http basic authentication (this might be a big security flaw, I'm trying to avoid it)

What other approach can I use to authenticate the user in the REST API?

I guess this is mainly an architecture issue. Please ask questions if you didn't understand my question (or my english)

Was it helpful?

Solution

It looks like you want to use the first CAS service as a proxy for your REST API: you could use the CAS proxy mechanism: https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough. Though, the proxy support is not available in the Shiro CAS module, you should use the buji-pac4j extension, here is a good discussion on this topic: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-td7579694.html.

OTHER TIPS

You can enable the OAuth2.0 configuration on CAS and then u can secure your REST services with the oauth2.0. For example u can have a rest service with oauth for user authentication. Here some usefull links.

OAuth configuration

Securing REST

OAuth and REST

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top