spring security - custom filter positioning

Question

I need to customize my authentication process in such manner:

1. Client sends request (REST API) with a "special" URL param
2. Server calls third-party service passing a param and receiving user name
3. Server lookups database by name and this is authenticated principal.

I split my server side (2+3) on two parts - custom filter for (2), that obtains user name - and a custom userdetailservice for(3) that builds principal by looking up name in database.

But I cannot build my security.xml correctly - every time it seems that it doesn't process filter at all. I think the problem is in the first (http) node, but I cannot understand what position should I set up for filter. Here is my config:

<http use-expressions="true" auto-config="true" authentication-manager-ref="authenticationManager">
    <intercept-url pattern="/*" access="isAuthenticated" />
    <custom-filter ref="casServiceTicketFilter" position="FIRST"/>
</http>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="wliAuthenticationService"/>
</authentication-manager>

<b:bean id="casServiceTicketFilter" class="org.WLICASAuthenticationFilter">
    <b:property name="casTicketValidateURL" value="${cas.ticket.validate.url}"/>
    <b:property name="authenticationManager" ref="authenticationManager"/>
</b:bean>

<b:bean id="wliAuthenticationService" class="org.WLIUserDetailService"/>

PS- Please don't tell me that Spring has CAS support out-of-the-box. It's a bit various configuration so I need to create my own implementation of service ticket validator

Answer 1

Your custom authentication filter shouldn't be first in the filter chain. It needs to come after the SecurityContextPersistenceFilter. Use

<custom-filter ref="casServiceTicketFilter" after="SECURITY_CONTEXT_FILTER"/>

instead.

If you enable debug logging, you should be able to see clearly what order the filters are called in for each request and whether yours is invoked.