org.springframework.security.ui.preauth.header
Class RequestHeaderPreAuthenticatedProcessingFilter

java.lang.Object
  org.springframework.security.ui.SpringSecurityFilter
      org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter
          org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter

All Implemented Interfaces:

Filter, InitializingBean, ApplicationEventPublisherAware, Ordered

public class RequestHeaderPreAuthenticatedProcessingFilter
extends AbstractPreAuthenticatedProcessingFilter

A simple pre-authenticated filter which obtains the username from a request header, for use with systems such as CA Siteminder.

As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally and if this filter is included inappropriately in a configuration, it would be possible to assume the identity of a user merely by setting the correct header name. This also means it should not be used in combination with other Spring Security authentication mechanisms such as form login, as this would imply there was a means of bypassing the external system which would be risky.

The property principalRequestHeader is the name of the request header that contains the username. It defaults to "SM_USER" for compatibility with Siteminder.

Since:

2.0

Version:

$Id$

Author:

Luke Taylor

Field Summary

Fields inherited from class org.springframework.security.ui.SpringSecurityFilter

logger

Fields inherited from interface org.springframework.core.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

RequestHeaderPreAuthenticatedProcessingFilter()

Method Summary

int	getOrder()
protected Object	getPreAuthenticatedCredentials(HttpServletRequest request) Credentials aren't usually applicable, but if a credentialsRequestHeader is set, this will be read and used as the credentials value.
protected Object	getPreAuthenticatedPrincipal(HttpServletRequest request) Read and returns the header named by principalRequestHeader from the request.
void	setCredentialsRequestHeader(String credentialsRequestHeader)
void	setPrincipalRequestHeader(String principalRequestHeader)

Methods inherited from class org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter

afterPropertiesSet, doFilterHttp, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setContinueFilterChainOnUnsuccessfulAuthentication, successfulAuthentication, unsuccessfulAuthentication

Methods inherited from class org.springframework.security.ui.SpringSecurityFilter

destroy, doFilter, init, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

RequestHeaderPreAuthenticatedProcessingFilter

public RequestHeaderPreAuthenticatedProcessingFilter()

Method Detail

getPreAuthenticatedPrincipal

protected Object getPreAuthenticatedPrincipal(HttpServletRequest request)

Read and returns the header named by principalRequestHeader from the request.

Specified by:

getPreAuthenticatedPrincipal in class AbstractPreAuthenticatedProcessingFilter

Throws:

PreAuthenticatedCredentialsNotFoundException - if the header is missing

getPreAuthenticatedCredentials

protected Object getPreAuthenticatedCredentials(HttpServletRequest request)

Credentials aren't usually applicable, but if a credentialsRequestHeader is set, this will be read and used as the credentials value. Otherwise a dummy value will be used.

Specified by:

getPreAuthenticatedCredentials in class AbstractPreAuthenticatedProcessingFilter

setPrincipalRequestHeader

public void setPrincipalRequestHeader(String principalRequestHeader)

setCredentialsRequestHeader

public void setCredentialsRequestHeader(String credentialsRequestHeader)

getOrder

public int getOrder()