Spring Security : sharing security between my CRM webapp and my Front webapp

Question

I've 2 distinct webapp:

• a CRM webapp which show customer resume to office users
• a portal webapp for customer users

my CRM webapp use a combination of LDAPManager and InMemoryManager with a BasicAuthenticationFilter and BasicAuthenticationEntryPoint my portal use a classic JDBC Manager with a standard UsernamePasswordAuthenticationFilter

Now, I need access transparently to my portal from my CRM webapp.

For example, I work in office on the CRM webapp. A customer call me and ask explanations about what is mentionned in Portal.

I would be possible for office user to access Portal as a customer from a http link in the CRM customer account page.

So I would bypass my LoginUrlAuthenticationEntryPoint and access directly to the customer account.

EDIT after Michael help, I realize that I need to keep a trace of which CRM user access to which portal account :
My questions are :
- should I use PreAuthenticatedManager or RunAsManager?
- do I need declare a 2nd EntryPoint?
- what about AuthenticationFilters?
- Is to possible to recover a user BASIC authenticated from my CRM webapp in my new portal AbstractPreAuthenticatedProcessingFilter ?

Answer 1

I have the following assumption / conclusion from your explanation:

1) The CRM user repository and the portal user repository have different users

2) CRM users should not know portal users passwords

I do not think you need to use RunAsManager. (When you use RunAsManager it mean you first authenticate as a CRM user in the portal and then replace the authentication by a portal user authentication. I do not think you can authenticate a CRM user against the portal user repository.)

I suggest to create your own “AuthenticateAs” functionality: when a CRM user press on a link in a CRM page of a portal user it will be authenticated in the portal as a portal user without providing a password.

How it works?

1) When a CRM user presses a link the parameter with an encrypted portal user name is added to URL.

2) When the request with an encrypted portal user name access to the portal application, a new created PreAuthenticatedProcessingFilter decrypt the user name and authenticate the user

That’s it :)

Couple of comments:

1) Please use AES-258 algorithm to encrypt / decrypt the user name

2) Please ensure that the key for encrypt / decrypt can not be accessed by HTTTP

3) You can extend AbstractPreAuthenticatedProcessingFilter for your PreAuthenticatedProcessingFilter

4) I strongly suggest to create two roles in the portal application: USER_WRITE_ROLE and USER_READ_ROLE. When a CRM user access using “AuthenticateAs” authentication - it should get USER_READ_ROLE. When a portal user access using regular authentication - it should get USER_ WRITE_ROLE.

5) You should think how a CRM user will perform the logout for a portal user (otherwise he always will work on the first user). The simplest way I can think about it - PreAuthenticatedProcessingFilter should process each request (even it authenticated) and if it contains the parameter with the user name to clean the portal user session and to perform the new authentication.

Please tell me what you think about the suggestion and tell me if you need any additional clarifications.

Best regards,

Michael

P.S. Added after the question was edited. The simplest way to track CRM users on the portal is to add the additional encrypted parameter to the URL with the CRM user name