RequestHeaderAuthenticationFilter

Class Overview

A simple pre-authenticated filter which obtains the username from a request header, for use with systems such as CA Siteminder.

As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally and if this filter is included inappropriately in a configuration, it would be possible to assume the identity of a user merely by setting the correct header name. This also means it should not generally be used in combination with other Spring Security authentication mechanisms such as form login, as this would imply there was a means of bypassing the external system which would be risky.

The property principalRequestHeader is the name of the request header that contains the username. It defaults to "SM_USER" for compatibility with Siteminder.

If the header is missing from the request, getPreAuthenticatedPrincipal will throw an exception. You can override this behaviour by setting the exceptionIfHeaderMissing property.

Summary

[Expand] Inherited Fields
From class org.springframework.web.filter.GenericFilterBean protected final Log logger

[Expand] Inherited Methods
From class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter void afterPropertiesSet() Check whether all required properties have been set. void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) Try to authenticate a pre-authenticated user with Spring Security if the user has not yet been authenticated. AuthenticationDetailsSource<HttpServletRequest, ?> getAuthenticationDetailsSource() abstract Object getPreAuthenticatedCredentials(HttpServletRequest request) Override to extract the credentials (if applicable) from the current request. abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request) Override to extract the principal information from the current request void setApplicationEventPublisher(ApplicationEventPublisher anApplicationEventPublisher) void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) void setAuthenticationManager(AuthenticationManager authenticationManager) void setCheckForPrincipalChanges(boolean checkForPrincipalChanges) If set, the pre-authenticated principal will be checked on each request and compared against the name of the current Authentication object. void setContinueFilterChainOnUnsuccessfulAuthentication(boolean shouldContinue) If set to true, any AuthenticationException raised by the AuthenticationManager will be swallowed, and the request will be allowed to proceed, potentially using alternative authentication mechanisms. void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange) If checkForPrincipalChanges is set, and a change of principal is detected, determines whether any existing session should be invalidated before proceeding to authenticate the new principal. void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) Puts the Authentication instance returned by the authentication manager into the secure context. void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) Ensures the authentication object in the secure context is set to null when authentication fails.
From class org.springframework.web.filter.GenericFilterBean final void addRequiredProperty(String arg0) void afterPropertiesSet() void destroy() final FilterConfig getFilterConfig() final String getFilterName() final ServletContext getServletContext() final void init(FilterConfig arg0) void initBeanWrapper(BeanWrapper arg0) void initFilterBean() final void setBeanName(String arg0) final void setFilterConfig(FilterConfig arg0) final void setServletContext(ServletContext arg0)
From class java.lang.Object Object clone() boolean equals(Object arg0) void finalize() final Class<?> getClass() int hashCode() final void notify() final void notifyAll() String toString() final void wait() final void wait(long arg0, int arg1) final void wait(long arg0)
From interface javax.servlet.Filter abstract void destroy() abstract void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2) abstract void init(FilterConfig arg0)
From interface org.springframework.beans.factory.BeanNameAware abstract void setBeanName(String arg0)
From interface org.springframework.beans.factory.DisposableBean abstract void destroy()
From interface org.springframework.beans.factory.InitializingBean abstract void afterPropertiesSet()
From interface org.springframework.context.ApplicationEventPublisherAware abstract void setApplicationEventPublisher(ApplicationEventPublisher arg0)
From interface org.springframework.web.context.ServletContextAware abstract void setServletContext(ServletContext arg0)