X.509 authentication is covered in its own chapter. Here we'll look at some classes which provide support for other pre-authenticated scenarios.
An external authentication system may supply information to the application by setting specific headers on the HTTP request.
A well known example of this is is Siteminder, which passes the username in a header called SM_USER
.
This mechanism is supported by the class RequestHeaderPreAuthenticatedProcessingFilter
which
simply extracts the username from the header. It defaults to using the name SM_USER
as the
header name. See the Javadoc for more details.
Note that when using a system like this, the framework performs no authentication checks at all and it is extremely important that the external system is configured properly and protects all access to the application. If an attacker is able to forge the headers in their original request without this being detected then they could potentially choose any userame they wished.
A typical configuration using this filter would look like this:
<bean id="siteminderFilter" class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter"> <security:custom-filter position="PRE_AUTH_FILTER" /> <property name="principalRequestHeader" value="SM_USER"/> <property name="authenticationManager" ref="authenticationManager" /> </bean> <bean id="preauthAuthProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider"> <security:custom-authentication-provider /> <property name="preAuthenticatedUserDetailsService"> <bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper"> <property name="userDetailsService" ref="userDetailsService"/> </bean> </property> </bean> <security:authentication-manager alias="authenticationManager" />
We've assumed here that the security namespace is being used for configuration (hence the user of the custom-filter
,
authentication-manager
and custom-authentication-provider
elements (you can read more about them
in the namespace chapter). You would leave these out of a traditional bean configuration.
It's also assumed that you have added a UserDetailsService
(called “userDetailsService”)
to your configuration to load the user's roles.
The class J2eePreAuthenticatedProcessingFilter
will extract the username from the
userPrincipal
property of the HttpServletRequest
. use of this
filter would usually be combined with the use of J2EE roles as described above in the section called “J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource”.