public class RequestHeaderPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter
As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally and if this filter is included inappropriately in a configuration, it would be possible to assume the identity of a user merely by setting the correct header name. This also means it should not be used in combination with other Spring Security authentication mechanisms such as form login, as this would imply there was a means of bypassing the external system which would be risky.
The property principalRequestHeader is the name of the request header that contains the username. It defaults to "SM_USER" for compatibility with Siteminder.
logger
Constructor and Description |
---|
RequestHeaderPreAuthenticatedProcessingFilter() |
Modifier and Type | Method and Description |
---|---|
int |
getOrder() |
protected java.lang.Object |
getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
Credentials aren't usually applicable, but if a credentialsRequestHeader is set, this
will be read and used as the credentials value.
|
protected java.lang.Object |
getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
Read and returns the header named by principalRequestHeader from the request.
|
void |
setCredentialsRequestHeader(java.lang.String credentialsRequestHeader) |
void |
setPrincipalRequestHeader(java.lang.String principalRequestHeader) |
afterPropertiesSet, doFilterHttp, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setContinueFilterChainOnUnsuccessfulAuthentication, successfulAuthentication, unsuccessfulAuthentication
destroy, doFilter, init, toString
public RequestHeaderPreAuthenticatedProcessingFilter()
protected java.lang.Object getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
getPreAuthenticatedPrincipal
in class AbstractPreAuthenticatedProcessingFilter
PreAuthenticatedCredentialsNotFoundException
- if the header is missingprotected java.lang.Object getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
getPreAuthenticatedCredentials
in class AbstractPreAuthenticatedProcessingFilter
public void setPrincipalRequestHeader(java.lang.String principalRequestHeader)
public void setCredentialsRequestHeader(java.lang.String credentialsRequestHeader)
public int getOrder()