README file for Spring Security 2.0 Provider

Updated Feb 26/09 -

- Added Spring authorization code
- Fixed a bug in voting (null OpenSSO policy decision should result in ABSTAIN)

Please see (or generated javadoc) for additional


Integration between OpenSSO agent and Spring Security 2.0

This component is the implementation of Spring Security using the OpenSSO platform.
The target is to configure the security module of a web application with Spring
Security but the implementation is according OpenSSO. So we can get:

- SSO authentication,
- Authoritation based on policies defined in OpenSSO for the security domain

In the directory where this file is, you can find a maven 2 project. But the dependency
of OpenSSOclientsdk, at the moment, is not found in any maven repository. Therefore,
you must include in your local repository:

{dir maven repo}/com/sun/identity/OpenSSOclientsdk/8.0/OpenSSOclientsdk-8.0.jar.

Then, you can execute

$ mvn install

And the provider will be located in

{dir maven repo}/com/sun/identity/provider/springsecurity/0.1/springsecurity-0.1.jar

to be used in maven projects. (See more details in

The provider consists on the following classes:

- com.sun.identity.provider.springsecurity.OpenSSOObjectDefinitionSource.-
It is in charge of getting the security policies defined for a resource and an
userby web service of OpenSSO.war application.

- com.sun.identity.provider.springsecurity.OpenSSOAuthenticationProvider.-
Implementation of Spring AuthenticationProvider with OpenSSO struts

- com.sun.identity.provider.springsecurity.OpenSSOProcessingFilter.-
Implementation of filter which is responsible for processing authentications.

- com.sun.identity.provider.springsecurity.OpenSSOProcessingFilterEntryPoint.-
It is in charge of validating the cookie which says if the user is logged in and
getting its credentials. This class is the basis of Single-Sign On implementation

- com.sun.identity.provider.springsecurity.OpenSSOLogoutHandler.- It is in charge
of doing the logout in the application and in every application where the user
logged via Single sign-on.

- com.sun.identity.provider.springsecurity.OpenSSOVoter.- It is in charge of
translating the action decisions to votes. The votes are interpreted by the
AccessDecisionManager (class of Spring Security) to know if the user has privileges
for a resource.
This is the weak spot because OpenSSO has a lot of ways to define policies and
it is necessary an implementation of AccessDecisionVoter for each way.

In the subversion URL:

you can find an example web application. See readme.txt file for details.