CODEWITHSUNDEEP
spring-security
never
never

Reputation: 681

Spring Security 3 custom authentication by REMOTE_USER

I need to implement custom security scheme using Spring security 3.0.5.

The user must be authenticated automatically (without any login-form) by REMOTE_USER field in request. It seems that I must implement custom AbstractAuthenticationProcessingFilter and AuthenticationManager.

Am i taking the right direction? What could be the XML configuration?

Upvotes: 2

Views: 2624

Answers (1)

Donal Fellows
Donal Fellows

Reputation: 137787

You're wanting to accept identity assertions made by some other agent? Fair enough; there are scenarios where that makes sense. However, you must verify those assertions; there are many ways to do this, here are some:

  • If you share a database with the asserting entity, you can do a check on magic numbers.
  • You can use cryptographic signatures
  • You can check that the message is coming from a host that is permitted to make such assertions — which should be inside a network that you control and where you control the path in between too, which is fairly easy to do but a critical deployment factor that you need to document.

The simplest method is probably to write your own AuthenticationProvider, whose job it is to look at the credentials presented (the REMOTE_USER field and who is asserting it in your case) and decide whether to build an Authentication object. If not, it should throw an exception. You register your auth provider (assuming it is a bean called myAuthProvider) like this:

<security:authentication-manager>
    <security:authentication-provider ref="myAuthProvider" />
</security:authentication-manager>

As I said, you'll need to have an auth provider. If the user name is being supplied through an HTTP header and you're just going to trust it, you're actually in what's called a pre-authenticated case (i.e., there's something else that's done the authentication step for you). The Spring Security documentation has a whole chapter on this using Siteminder as an example: just change the header name and it should work. (Well, you'll also need a user details service, so that you can map from the authenticated user to the set of authorities that they are granted, but that's a whole 'nother story.)

Upvotes: 3

Related Questions