Class RequestHeaderAuthenticationFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally and if this filter is included inappropriately in a configuration, it would be possible to assume the identity of a user merely by setting the correct header name. This also means it should not generally be used in combination with other Spring Security authentication mechanisms such as form login, as this would imply there was a means of bypassing the external system which would be risky.
The property principalRequestHeader
is the name of the request header that
contains the username. It defaults to "SM_USER" for compatibility with Siteminder.
If the header is missing from the request, getPreAuthenticatedPrincipal
will
throw an exception. You can override this behaviour by setting the
exceptionIfHeaderMissing
property.
- Since:
- 2.0
-
Field Summary
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected Object
getPreAuthenticatedCredentials
(jakarta.servlet.http.HttpServletRequest request) Credentials aren't usually applicable, but if acredentialsRequestHeader
is set, this will be read and used as the credentials value.protected Object
getPreAuthenticatedPrincipal
(jakarta.servlet.http.HttpServletRequest request) Read and returns the header named byprincipalRequestHeader
from the request.void
setCredentialsRequestHeader
(String credentialsRequestHeader) void
setExceptionIfHeaderMissing
(boolean exceptionIfHeaderMissing) Defines whether an exception should be raised if the principal header is missing.void
setPrincipalRequestHeader
(String principalRequestHeader) Methods inherited from class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
afterPropertiesSet, doFilter, getAuthenticationDetailsSource, principalChanged, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setCheckForPrincipalChanges, setContinueFilterChainOnUnsuccessfulAuthentication, setInvalidateSessionOnPrincipalChange, setRequiresAuthenticationRequestMatcher, setSecurityContextHolderStrategy, setSecurityContextRepository, successfulAuthentication, unsuccessfulAuthentication
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
RequestHeaderAuthenticationFilter
public RequestHeaderAuthenticationFilter()
-
-
Method Details
-
getPreAuthenticatedPrincipal
Read and returns the header named byprincipalRequestHeader
from the request.- Specified by:
getPreAuthenticatedPrincipal
in classAbstractPreAuthenticatedProcessingFilter
- Throws:
PreAuthenticatedCredentialsNotFoundException
- if the header is missing andexceptionIfHeaderMissing
is set totrue
.
-
getPreAuthenticatedCredentials
Credentials aren't usually applicable, but if acredentialsRequestHeader
is set, this will be read and used as the credentials value. Otherwise a dummy value will be used.- Specified by:
getPreAuthenticatedCredentials
in classAbstractPreAuthenticatedProcessingFilter
-
setPrincipalRequestHeader
-
setCredentialsRequestHeader
-
setExceptionIfHeaderMissing
public void setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing) Defines whether an exception should be raised if the principal header is missing. Defaults totrue
.- Parameters:
exceptionIfHeaderMissing
- set tofalse
to override the default behaviour and allow the request to proceed if no header is found.
-