org.springframework.security.web.authentication.preauth
Class RequestHeaderAuthenticationFilter

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
          extended by org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter
All Implemented Interfaces:
javax.servlet.Filter, BeanNameAware, DisposableBean, InitializingBean, ApplicationEventPublisherAware, ServletContextAware

public class RequestHeaderAuthenticationFilter
extends AbstractPreAuthenticatedProcessingFilter

A simple pre-authenticated filter which obtains the username from a request header, for use with systems such as CA Siteminder.

As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally and if this filter is included inappropriately in a configuration, it would be possible to assume the identity of a user merely by setting the correct header name. This also means it should not generally be used in combination with other Spring Security authentication mechanisms such as form login, as this would imply there was a means of bypassing the external system which would be risky.

The property principalRequestHeader is the name of the request header that contains the username. It defaults to "SM_USER" for compatibility with Siteminder.

If the header is missing from the request, getPreAuthenticatedPrincipal will throw an exception. You can override this behaviour by setting the exceptionIfHeaderMissing property.

Since:
2.0

Field Summary
 
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
 
Constructor Summary
RequestHeaderAuthenticationFilter()
           
 
Method Summary
protected  Object getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
          Credentials aren't usually applicable, but if a credentialsRequestHeader is set, this will be read and used as the credentials value.
protected  Object getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
          Read and returns the header named by principalRequestHeader from the request.
 void setCredentialsRequestHeader(String credentialsRequestHeader)
           
 void setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing)
          Defines whether an exception should be raised if the principal header is missing.
 void setPrincipalRequestHeader(String principalRequestHeader)
           
 
Methods inherited from class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
afterPropertiesSet, doFilter, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setCheckForPrincipalChanges, setContinueFilterChainOnUnsuccessfulAuthentication, setInvalidateSessionOnPrincipalChange, successfulAuthentication, unsuccessfulAuthentication
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

RequestHeaderAuthenticationFilter

public RequestHeaderAuthenticationFilter()
Method Detail

getPreAuthenticatedPrincipal

protected Object getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
Read and returns the header named by principalRequestHeader from the request.

Specified by:
getPreAuthenticatedPrincipal in class AbstractPreAuthenticatedProcessingFilter
Throws:
PreAuthenticatedCredentialsNotFoundException - if the header is missing and exceptionIfHeaderMissing is set to true.

getPreAuthenticatedCredentials

protected Object getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
Credentials aren't usually applicable, but if a credentialsRequestHeader is set, this will be read and used as the credentials value. Otherwise a dummy value will be used.

Specified by:
getPreAuthenticatedCredentials in class AbstractPreAuthenticatedProcessingFilter

setPrincipalRequestHeader

public void setPrincipalRequestHeader(String principalRequestHeader)

setCredentialsRequestHeader

public void setCredentialsRequestHeader(String credentialsRequestHeader)

setExceptionIfHeaderMissing

public void setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing)
Defines whether an exception should be raised if the principal header is missing. Defaults to true.

Parameters:
exceptionIfHeaderMissing - set to false to override the default behaviour and allow the request to proceed if no header is found.