Spring Security Preauthorization Reauthentication

Question

Using Spring Security 3.2.5 and Spring 4.0.6. Spring Security is configured for preauthentication using an http header.

Spring Security works correctly grabbing the header, looking up the user, and getting authentication roles from the database.

The problem is that when a user logs out and logs in as a new user, the spring security does not detect the changed header and still returns the previously logged in user.

1 - log in as user#1 through external application (siteminder)

2 - spring security correctly reports user#1 logged in

3 - outside of the application, log out of siteminder

4 - through siteminder log in as user#2

5 - in the web app spring security now incorrectly reports user#1 logged in when siteminder is providing header information for user#2

in spring-security.xml I tried adding a directive for spring security to not cache users but it got exceptions in the application.

<security:http create-session="stateless" />

ApplicationEventMulticaster not initialized - call 'refresh' before multicasting events via the context: Root WebApplicationContext: startup date [Wed Sep 10 11:57:10 MDT 2014]; root of context hierarchy

Configuration problem: No AuthenticationEntryPoint could be established. Please make sure you have a login mechanism configured through the namespace (such as form-login) or specify a custom AuthenticationEntryPoint with the 'entry-point-ref' attribute

How can spring security be configured to reauthorize when the pre-authentication header changes?

Thanks!

Answer 1

You should be able to achieve this by setting the checkForPrincipalChanges property on the pre-auth filter to true.

From the API docs:

the pre-authenticated principal will be checked on each request and compared against the name of the current Authentication object. If a change is detected, the user will be reauthenticated.

You'll probably also want to set invalidateSessionOnPrincipalChange property (if you want the previous session to be forgotten).