How to combine authentication filters in spring

Question

We're moving from LDAP based authentification to SSO(Oracle's WebGate).

Right now for LDAP based we are using form based authentification with (UsernamePasswordAuthenticationFilter) at FORM_LOGIN_FILTER position.

For SSO user will be pre authenticated and request header with his username will be send. I plan to use RequestHeaderAuthenticationFilterat PRE_AUTH_FILTER position.

Problem is that we need to have both these filters to be present at the same and ability to switch between them based on value in property file. This is for scenario when SSO doesn't work as expected on production so we could easily fallback to LDAP.

My question is how to properly implement this. Will be there any side effects if two filters with these positions will be present at the same time? Is it better to extend both these filter and add property check in inherited classes or is it better to created composite filter which will handle switch between them?

Answer 1

Since the form login filter only processes requests at a specific location (e.g. /j_spring_security_check) having it in place shouldn't affect the function of the other filter. So your original question as stated is rather easy. The more important question that you should ask is how to handle unauthenticated requests. You need to decide how that will work in your new SSO solution and see if you can build something that you can use to switch back to display the login form in your app (and you need to design how that decision would be taken - e.g. a flag in a properties file or a runtime decision). If you are thinking in terms of a fallback that you can put in place at short notice, but don't mind a restart of the app, then I would suggest a Spring profile.