Share on:

OpenAM and Spring Boot 3 Integration via OpenAM Cookie

Original article:


In the following article, we will set up OpenAM as an Identity Provider for a Spring Boot Application. In the previous article, we set up a Spring Boot application authentication via OpenAM with SAMLv2 protocol. In the following article, we will set up authentication via OpenAM cookie.


OpenAM and Spring Boot applications should share same domain. In the following example, OpenAM host is and Spring Boot application host is

To test the example on the local machine, add the following lines to your hosts file:

OpenAM Configuration

Open OpenAM administration console. In the top menu go to Configure → Global Services → Platform. Set Cookie Domains as the common domain for the both applications:

OpenAM Cookie Domain

Spring Application Configuration

Create a new Spring Boot application and add the following Maven repositories and add the following dependencies:

<!--security dependencies-->

Add the following settings to the application.yml file

  port: 8081

Create a controller and two endpoints: index and protected-openam. The index endpoint will be accessible for anyone and protected-openam endpoint will be accessible for OpenAM authenticated users.

public class SampleController {

    public String index() {
        return "index";

    public String cookieProtected(Model model,  @AuthenticationPrincipal String principal) {
        model.addAttribute("userName", principal);
        model.addAttribute("method", "OpenAM Cookie");
        return "protected";

Create the following templates for controllers:


<!DOCTYPE html><html>
<h1>OpenAM Spring Security Integration</h1>
<h2>Test Authentication</h2>
    <li><a href="/protected-openam">OpenAM Cookie</a></li>


<!DOCTYPE html><html xmlns:th="">
<h1>Protected resource</h1>
<a href="/">Back</a></li>
<p><span th:text="${userName}"/> user authenticated with <span th:text="${method}"/></p>

Create Spring Security configuration class:

public class SecurityConfiguration {
    public SecurityFilterChain securityOpenAmFilterChain(HttpSecurity http) throws Exception {
        http.securityMatcher("/protected-openam", OpenAmAuthenticationFilter.OPENAM_AUTH_URI)
                .addFilterAt(new OpenAmAuthenticationFilter(), RememberMeAuthenticationFilter.class)
                .authorizeHttpRequests((authorize) ->
                .exceptionHandling(e ->
                        e.authenticationEntryPoint((request, response, authException) ->

Create OpenAM authentication filter:

public class OpenAmAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

    private final String openAmUrl = "";
    private final String openAuthUrl = openAmUrl.concat("/XUI/#login");

    private final String openAmUserInfoUrl = openAmUrl.concat("/json/users?_action=idFromSession");
    private final String openAmCookieName = "iPlanetDirectoryPro";

    private final String redirectUrl = "";

    public static final String OPENAM_AUTH_URI = "/openam-auth";

    public OpenAmAuthenticationFilter() {
        super(OPENAM_AUTH_URI, new OpenAmAuthenticationManager());
        setSecurityContextRepository(new HttpSessionSecurityContextRepository());

    private final AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException, IOException {
        Optional<Cookie> openamCookie =
                .filter(c -> c.getName().equals(openAmCookieName)).findFirst();
        if(openamCookie.isEmpty()) {
           response.sendRedirect(openAuthUrl + "&goto=" + URLEncoder.encode(redirectUrl, StandardCharsets.UTF_8));
           return null;
        } else {
            String userId = getUserIdFromSession(openamCookie.get().getValue());
            if (userId == null) {
                throw new BadCredentialsException("invalid session!");
            OpenAmAuthenticationToken token = new OpenAmAuthenticationToken(userId);
            return this.getAuthenticationManager().authenticate(token);

    protected String getUserIdFromSession(String sessionId) {
        RestTemplate restTemplate = new RestTemplate();
        ParameterizedTypeReference<Map<String, String>> responseType =
                new ParameterizedTypeReference<>() {};
        HttpHeaders headers = new HttpHeaders();
        headers.add(openAmCookieName, sessionId);
        HttpEntity<?> entity = new HttpEntity<>(headers);
        ResponseEntity<Map<String, String>> response =, HttpMethod.POST, entity, responseType);
        Map<String, String> body = response.getBody();
        if (body == null) {
            return null;
        return body.get("id");

Create OpenAM authentication manager

public class OpenAmAuthenticationManager implements AuthenticationManager {
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if(authentication instanceof OpenAmAuthenticationToken) {
            return authentication;
        return authentication;

and OpenAM authentication token class:

public class OpenAmAuthenticationToken extends AbstractAuthenticationToken {
    private final String username;

    public OpenAmAuthenticationToken(String username) {
        super(Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")));
        this.username = username;

    public Object getCredentials() {
        return "";

    public Object getPrincipal() {
        return username;

Test Solution

Create the demo user for the top level realm for testing purposes. Open OpenAM console, open the top level realm. In the left menu click the Subjects element. In the list of subject click the New button.

OpenAM Create User

Fill the attributes and press the OK button.

Logout form OpenAM.

Run the Spring application an open its URL in a browser:

Test App Index

Click the OpenAM Cookie link. You will be redirected to the OpenAM authentication page.

OpenAM Authentication

Enter desired credentials and press the Log In button. After successful authentication you will be redirected to the Spring Boot application page as an authenticated user.

Test App Authenticated

PS. Thanks to for the idea for this manual.