org.springframework.security.web.authentication.preauth
Class RequestHeaderAuthenticationFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter
- All Implemented Interfaces:
- javax.servlet.Filter, BeanNameAware, DisposableBean, InitializingBean, ApplicationEventPublisherAware, ServletContextAware
public class RequestHeaderAuthenticationFilter
- extends AbstractPreAuthenticatedProcessingFilter
A simple pre-authenticated filter which obtains the username from a request header, for use with systems such as
CA Siteminder.
As with most pre-authenticated scenarios, it is essential that the external authentication system is set up
correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally
and if this filter is included inappropriately in a configuration, it would be possible to assume the
identity of a user merely by setting the correct header name. This also means it should not generally be used
in combination with other Spring Security authentication mechanisms such as form login, as this would imply there
was a means of bypassing the external system which would be risky.
The property principalRequestHeader
is the name of the request header that contains the username. It
defaults to "SM_USER" for compatibility with Siteminder.
If the header is missing from the request, getPreAuthenticatedPrincipal
will throw an exception. You
can override this behaviour by setting the exceptionIfHeaderMissing
property.
- Since:
- 2.0
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
RequestHeaderAuthenticationFilter
public RequestHeaderAuthenticationFilter()
getPreAuthenticatedPrincipal
protected Object getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
- Read and returns the header named by
principalRequestHeader
from the request.
- Specified by:
getPreAuthenticatedPrincipal
in class AbstractPreAuthenticatedProcessingFilter
- Throws:
PreAuthenticatedCredentialsNotFoundException
- if the header is missing and exceptionIfHeaderMissing
is set to true
.
getPreAuthenticatedCredentials
protected Object getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
- Credentials aren't usually applicable, but if a
credentialsRequestHeader
is set, this
will be read and used as the credentials value. Otherwise a dummy value will be used.
- Specified by:
getPreAuthenticatedCredentials
in class AbstractPreAuthenticatedProcessingFilter
setPrincipalRequestHeader
public void setPrincipalRequestHeader(String principalRequestHeader)
setCredentialsRequestHeader
public void setCredentialsRequestHeader(String credentialsRequestHeader)
setExceptionIfHeaderMissing
public void setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing)
- Defines whether an exception should be raised if the principal header is missing. Defaults to
true
.
- Parameters:
exceptionIfHeaderMissing
- set to false
to override the default behaviour and allow
the request to proceed if no header is found.