I have a JSF based web app that authenticates users. What I do is verify that they exist along with their password combo, in the database, then I set a variable in their session bean. I have a filter that checks the bean on any movement to a restricted access page (anything other than the logon and E-mail password pages for example) to verifty that the user's session is still valid.
Well, now I have been asked to make this logic accessable by another web app (built using JSP).
In short, what they want to do is have this other app "call" my app to do the authentication and have me send back a pass/fail. If the user authenticates, then they want to redirect to my app and bypass the logon mechanism.
Any ideas on how this might best be architected?
I suppose that I could set up a web service to do this..but is that overkill?
It’s a quiet a bit of hassle I must say, but I thought of a solution hope it is helpful.
Lets assume that there is WebApp1 and WebApp2 the WebApp1 contains the authentication mechanism, then what I am proposing is that have a servlet in WebApp1 which carters to WebApp2, WebApp2 creates HTTP request and WebApp2 generates XML response to them and WebApp2 as client parses these XML's and uses then as required, but since HTTP is stateless what you can do is to hit WebApp1 only once when the session is activated for the first time and store the XML response from WebApp1 in a object and put it away in the session of WebApp2 and the user henceforth can be authenticated from WebApp2
Another approach would be to use RPC in-between but then it leads to a problem with session.
But the crux of the problem is that from WebApp2 the authentication needs to be done only once, henceforth the session of WebApp2 should take care of this problem.
It would seem a better idea to create some sort of authentication service for both web app1 and web app2 to use with method like
public UserDetails authenticate(UserCredentials creds) throws AuthenticationFailedException, RemoteExcpetion;
Deploy it as a webservice, or on an rmi server, or as a session bean on an appserver, or seperate servlet that returns xml content(why when you can use webservice) and then implement the db stuff however yuo want. And if both webapps can talk to same db just deploy it as a little piece of code in same jvm that yuor main servlet talks to.
This webapp2 talking to webapp1 seems to make it sound harder than what it should be,when you should just abstract the authentication stuff from webapp1 to independent module.
What if you decide to make swing app, so for authentication you have to redo auth stuff again, or else make swing app talk to webapp1 when it might be concerned with totally different back end servers, and webapp1 becomes point of failure.
Just a thought, maybe not a well thought through one.
Thanks for the feedback.
Thinking about it, this might take a little bit of both to work. Here is some more detail about what is going on:
What will happen is that my app will be "housed" inside of the other app in that it will take up an area surounded by the other app. This other app (call it App1) will need to authenticate in the same manner that my app (call it App2) does.
Instead of having the user sign on two times, and reproduce the same code twice, it would be nice to be able to call either my app, or a common web service (or some other mechanism) to authenticate. The other option would be to have App1 do the authentication, and then forward the username/password to my app some how.
The thing is, the user does not always need to use my app (App2), and may just sign on to use the aspects of App1. Sometimes though, they need to get to App2 as well, and a second sign-on using the same username/password combo shouldn't be required.
Of course, these were designed as two separate apps. Mine already contains authentication code and filters to verify that the session is still active. The other app (App1) has no authentication code in it at all currently.
I'd like to keep App1 intact as best as possible to keep the filter working (it relies on the session being there and the user name to be valid).
My thought is that I could create a web service that both apps could call, but some how, App1 must still send App2 the username/password combo to prevent the user from having to enter it in in App2 as well as App1.
So, some form of inter-app communication is going to have to take place.