https://github.com/steinarb/authservice
I wrote this to cover my own usecase, which was to have the same login for nginx itself, as well as a couple of web whiteboard webapps running in the same apache karaf, behind the nginx server through a reverse proxy setup. Cross-webapp SSO works by providing the shiro interfaces Realm[1] and SessionDAO[2] as OSGi services to shiro web sessionmanagers. Nginx authentication is handled by providing an nginx with a URL suitable for the nginx auth_request module[3], that shares Realm and SessionDAO with the karaf webapps. Authservice is based on Shiro 1.3.1 (I can't remember why it isn't 1.3.2. I will try with 1.3.2 and if it works, release a new version of authservice to maven central shortly), and it will be upgraded to the first OSGi-friendly 1.4.x or 1.5 version released by Francois Papon. The authservice license is Apache v2, and authservice has been deployed to maven central. To try it out: 1. From a karaf console, give the following commands: feature:repo-add mvn:no.priv.bang.authservice/authservice/LATEST/xml/features feature:install authservice-with-derby-dbrealm-and-session 2. Open the URL http://localhost:8181/authservice in a web browser and log in with username/password: jad/1ad 3. Verify that the "User administration UI" is inaccessible and use the back button in the browser to get back to the main authservice page 4. Click on the "Change your own password" link and try changing the password 5. After changing the password click on the back button in the browser to get back to the main authservice page Note: don't use the "Back to top" link because that links to two levels up 6. Click on the "Change your own email and real name" and try changing them 7. Click on the back button in the browser to get back to the main authservice page (here also "Back to top" link, links two levelse up, because both of these URLs are intended as self service URLs linked to from the main nginx page) 8. Click on "Logout" and then login again as username/password: admin/admin 9. Click on the "User administration UI" and try giving user jad the useradmin role 10. Click on the "Up to authservice top" link and then click the "Logout" link 11. Log in with username/password: jad/1ad 12. Verify that user jad now can use the "User administration UI" The authservice-with-derby-dbrealm-and-session feature uses an in-memory database that will disappear when karaf is stopped and restarted. "Production" authservice uses PostgreSQL. Authservice feature summary - Based on Apache Shiro - Apache Karaf application based on pax web whiteboard and OSGi Declarative Services (DS) - Plain HTML "self-service" pages for letting users change their passwords and personal information - A small user administration UI written in react and styled with bootstrap v4 - A Shiro JDBC realm that supports base64 encoded password salt - JDBC database schema and initial data setup provided by a liquibase script, which means that in theory any JDBC database supported by liquibase can be used to replace PosgreSQL (some code required, the README has suggestions) References: [1] <http://shiro.apache.org/static/1.3.1/apidocs/org/apache/shiro/realm/Realm.html> [2] <http://shiro.apache.org/static/1.3.1/apidocs/org/apache/shiro/session/mgt/eis/SessionDAO.html> [3] <http://nginx.org/en/docs/http/ngx_http_auth_request_module.html>