Concrete Implementations

X.509 authentication is covered in its own chapter. Here we'll look at some classes which provide support for other pre-authenticated scenarios.

Request-Header Authentication (Siteminder)

An external authentication system may supply information to the application by setting specific headers on the HTTP request. A well known example of this is is Siteminder, which passes the username in a header called SM_USER. This mechanism is supported by the class RequestHeaderPreAuthenticatedProcessingFilter which simply extracts the username from the header. It defaults to using the name SM_USER as the header name. See the Javadoc for more details.

Tip

Note that when using a system like this, the framework performs no authentication checks at all and it is extremely important that the external system is configured properly and protects all access to the application. If an attacker is able to forge the headers in their original request without this being detected then they could potentially choose any userame they wished.

Siteminder Example Configuration

A typical configuration using this filter would look like this:

	<bean id="siteminderFilter"
      class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
    <security:custom-filter position="PRE_AUTH_FILTER" />
    <property name="principalRequestHeader" value="SM_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />
  </bean>

  <bean id="preauthAuthProvider"
      class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    <security:custom-authentication-provider />      
    <property name="preAuthenticatedUserDetailsService">
      <bean id="userDetailsServiceWrapper" 
            class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
        <property name="userDetailsService" ref="userDetailsService"/>
      </bean>    
    </property>
	</bean>
	
	<security:authentication-manager alias="authenticationManager" />
  

We've assumed here that the security namespace is being used for configuration (hence the user of the custom-filter, authentication-manager and custom-authentication-provider elements (you can read more about them in the namespace chapter). You would leave these out of a traditional bean configuration. It's also assumed that you have added a UserDetailsService (called userDetailsService) to your configuration to load the user's roles.

J2EE Container Authentication

The class J2eePreAuthenticatedProcessingFilter will extract the username from the userPrincipal property of the HttpServletRequest. use of this filter would usually be combined with the use of J2EE roles as described above in the section called “J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource”.