Spring Security Framework

Class RequestHeaderPreAuthenticatedProcessingFilter

  extended by org.springframework.security.ui.SpringSecurityFilter
      extended by org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter
          extended by org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter
All Implemented Interfaces:
Filter, InitializingBean, ApplicationEventPublisherAware, Ordered

public class RequestHeaderPreAuthenticatedProcessingFilter
extends AbstractPreAuthenticatedProcessingFilter

A simple pre-authenticated filter which obtains the username from a request header, for use with systems such as CA Siteminder.

As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally and if this filter is included inappropriately in a configuration, it would be possible to assume the identity of a user merely by setting the correct header name. This also means it should not be used in combination with other Spring Security authentication mechanisms such as form login, as this would imply there was a means of bypassing the external system which would be risky.

The property principalRequestHeader is the name of the request header that contains the username. It defaults to "SM_USER" for compatibility with Siteminder.

Luke Taylor

Field Summary
Fields inherited from class org.springframework.security.ui.SpringSecurityFilter
Fields inherited from interface org.springframework.core.Ordered
Constructor Summary
Method Summary
 int getOrder()
protected  Object getPreAuthenticatedCredentials(HttpServletRequest request)
          Credentials aren't usually applicable, but if a credentialsRequestHeader is set, this will be read and used as the credentials value.
protected  Object getPreAuthenticatedPrincipal(HttpServletRequest request)
          Read and returns the header named by principalRequestHeader from the request.
 void setCredentialsRequestHeader(String credentialsRequestHeader)
 void setPrincipalRequestHeader(String principalRequestHeader)
Methods inherited from class org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter
afterPropertiesSet, doFilterHttp, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setContinueFilterChainOnUnsuccessfulAuthentication, successfulAuthentication, unsuccessfulAuthentication
Methods inherited from class org.springframework.security.ui.SpringSecurityFilter
destroy, doFilter, init, toString
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail


public RequestHeaderPreAuthenticatedProcessingFilter()
Method Detail


protected Object getPreAuthenticatedPrincipal(HttpServletRequest request)
Read and returns the header named by principalRequestHeader from the request.

Specified by:
getPreAuthenticatedPrincipal in class AbstractPreAuthenticatedProcessingFilter
PreAuthenticatedCredentialsNotFoundException - if the header is missing


protected Object getPreAuthenticatedCredentials(HttpServletRequest request)
Credentials aren't usually applicable, but if a credentialsRequestHeader is set, this will be read and used as the credentials value. Otherwise a dummy value will be used.

Specified by:
getPreAuthenticatedCredentials in class AbstractPreAuthenticatedProcessingFilter


public void setPrincipalRequestHeader(String principalRequestHeader)


public void setCredentialsRequestHeader(String credentialsRequestHeader)


public int getOrder()

Spring Security Framework

Copyright © 2004-2010 SpringSource, Inc. All Rights Reserved.