public class RequestHeaderAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter
As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally and if this filter is included inappropriately in a configuration, it would be possible to assume the identity of a user merely by setting the correct header name. This also means it should not generally be used in combination with other Spring Security authentication mechanisms such as form login, as this would imply there was a means of bypassing the external system which would be risky.
The property principalRequestHeader is the name of the request header that
contains the username. It defaults to "SM_USER" for compatibility with Siteminder.
If the header is missing from the request, getPreAuthenticatedPrincipal will
throw an exception. You can override this behaviour by setting the
exceptionIfHeaderMissing property.
logger| Constructor and Description |
|---|
RequestHeaderAuthenticationFilter() |
| Modifier and Type | Method and Description |
|---|---|
protected Object |
getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
Credentials aren't usually applicable, but if a
credentialsRequestHeader is
set, this will be read and used as the credentials value. |
protected Object |
getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
Read and returns the header named by
principalRequestHeader from the
request. |
void |
setCredentialsRequestHeader(String credentialsRequestHeader) |
void |
setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing)
Defines whether an exception should be raised if the principal header is missing.
|
void |
setPrincipalRequestHeader(String principalRequestHeader) |
afterPropertiesSet, doFilter, getAuthenticationDetailsSource, principalChanged, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setCheckForPrincipalChanges, setContinueFilterChainOnUnsuccessfulAuthentication, setInvalidateSessionOnPrincipalChange, successfulAuthentication, unsuccessfulAuthenticationaddRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContextprotected Object getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
principalRequestHeader from the
request.getPreAuthenticatedPrincipal in class AbstractPreAuthenticatedProcessingFilterPreAuthenticatedCredentialsNotFoundException - if the header is missing and
exceptionIfHeaderMissing is set to true.protected Object getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
credentialsRequestHeader is
set, this will be read and used as the credentials value. Otherwise a dummy value
will be used.getPreAuthenticatedCredentials in class AbstractPreAuthenticatedProcessingFilterpublic void setPrincipalRequestHeader(String principalRequestHeader)
public void setCredentialsRequestHeader(String credentialsRequestHeader)
public void setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing)
true.exceptionIfHeaderMissing - set to false to override the default
behaviour and allow the request to proceed if no header is found.