How to setup pre-authentication header-based authentication in Spring Boot?
How to setup pre-authentication header-based authentication in Spring Boot?
My app gets an AUTH_USER request header with username from Oracle Access Manager SSO. Spring Security "Additional Topics" 2.2.1 has an example of "PreAuth" that seems to be what I need, but not a full working example.
Snippets below are from docs/examples, not working annotation-based configuration.
Siteminder Example Configuration - using XML with a RequestHeaderAuthenticationFilter and PreAuthenticatedAuthenticationProvider and a UserDetailsService to lookup users.
How does this map to Java-based config?
<security:http>
<!-- Additional http configuration omitted -->
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="AUTH_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth. PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
The Spring Security preauth example has a completely different setup (the XML config is even more intimidating). No mention of the pre-auth filter or how to set the header name.
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception
http
.authorizeRequests()
.antMatchers("/login","/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.jee()
.mappableRoles("USER","ADMIN");
The spring-boot-sample-web-secure extends WebMvcConfigurerAdapter instead of WebSecurityConfigurerAdapter, and just does basic form-based logins, no info on how to get userid from pre-auth AUTH_USER header.
public class SampleWebSecureApplication extends WebMvcConfigurerAdapter
... omitted...
@Bean
public ApplicationSecurity applicationSecurity()
return new ApplicationSecurity();
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter
@Autowired
private SecurityProperties security;
@Override
protected void configure(HttpSecurity http) throws Exception
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll();
I've read many references/articles but they do not seem to related to current code and Spring-boot, so stuck trying to understand how to configure the app pre-auth security.
principalRequestHeader
Thanks, Devon. The behavior is that I cannot get Spring config via annotations to even succeed. The above are code snippets from the examples. The variations make it difficult to be sure what I should even be creating: ie. WebSecurytConfigurerAdapter or WebMvcConfigurerAdpater? When I try to configure a RequestHeaderAuthenticationFilter, it requires several nested beans like AuthenticationManager and AuthProvider and DetailsService, but the HttpSecurity http object also has methods to set the authprovider and details service, but of slightly different types.
– Tim
Oct 2 '14 at 16:29
Just watched Spring Security 3.2 Webinar which helped a lot in understanding some of the annotations and configurations. Next up, I'm going to read the entire Spring Security Reference
– Tim
Oct 4 '14 at 4:13
@Tim: Hello Time,did you figure it out or do you still need help on this ? If you already figured it out, then it would be nice if you could post the answer. Thanks !
– PavanSandeep
Nov 3 '14 at 19:20
@Pavan - No, have been on other topics, and have not figured this out yet. Please up-vote it if you're interested! :-)
– Tim
Nov 4 '14 at 19:48
1 Answer
1
This is my way to configure pre-auth security based on injected userService:
@Configuration
@EnableWebSecurity
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true, securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter
private static final Logger LOG = Logger.getLogger(ApplicationSecurity.class.getName());
@Autowired
private UserService userService; // implements AuthenticationUserDetailsService...
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception
LOG.info("configure autentication provider with custom userService");
PreAuthenticatedAuthenticationProvider paaProvider = new PreAuthenticatedAuthenticationProvider();
paaProvider.setPreAuthenticatedUserDetailsService(userService);
auth.authenticationProvider(paaProvider);
@Override
protected void configure(HttpSecurity http) throws Exception
LOG.info("configure autentication filter");
// ...
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Explaining what behavior you are seeing would help a lot. That said, your description says you're getting AUTH_USER, but
principalRequestHeader
is set to "SM_USER".– Devon_C_Miller
Oct 2 '14 at 1:13