@ -11,12 +11,15 @@ import org.springframework.util.Assert;
@@ -11,12 +11,15 @@ import org.springframework.util.Assert;
* As with most pre - authenticated scenarios , it is essential that the external authentication system is set up
* correctly as this filter does no authentication whatsoever . All the protection is assumed to be provided externally
* and if this filter is included inappropriately in a configuration , it would be possible to assume the
* identity of a user merely by setting the correct header name . This also means it should not be used in combination
* with other Spring Security authentication mechanisms such as form login , as this would imply there was a means of
* bypassing the external system which would be risky .
* identity of a user merely by setting the correct header name . This also means it should not generally be used
* in combination with other Spring Security authentication mechanisms such as form login , as this would imply there
* was a means of bypassing the external system which would be risky .
* < p >
* The property < tt > principalRequestHeader < / tt > is the name of the request header that contains the username . It
* defaults to "SM_USER" for compatibility with Siteminder .
* < p >
* If the header is missing from the request , < tt > getPreAuthenticatedPrincipal < / tt > will throw an exception . You
* can override this behaviour by setting the < tt > exceptionIfMissingHeader < / tt > property .
*
*
* @author Luke Taylor
@ -26,16 +29,19 @@ import org.springframework.util.Assert;
@@ -26,16 +29,19 @@ import org.springframework.util.Assert;
public class RequestHeaderAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {
private String principalRequestHeader = "SM_USER" ;
private String credentialsRequestHeader ;
private boolean exceptionIfHeaderMissing = true ;
private boolean exceptionIfMissingHeader ;
/ * *
* Read and returns the header named by < tt > principalRequestHeader < / tt > from the request .
*
* @throws PreAuthenticatedCredentialsNotFoundException if the header is missing
* @throws PreAuthenticatedCredentialsNotFoundException if the header is missing and < tt > exceptionIfHeaderMissing < / tt >
* is set to < tt > true < / tt > .
* /
protected Object getPreAuthenticatedPrincipal ( HttpServletRequest request ) {
String principal = request . getHeader ( principalRequestHeader ) ;
if ( principal = = null ) {
if ( principal = = null & & exceptionIfHeaderMissing ) {
throw new PreAuthenticatedCredentialsNotFoundException ( principalRequestHeader
+ " header not found in request." ) ;
}
@ -66,4 +72,14 @@ public class RequestHeaderAuthenticationFilter extends AbstractPreAuthenticatedP
@@ -66,4 +72,14 @@ public class RequestHeaderAuthenticationFilter extends AbstractPreAuthenticatedP
Assert . hasText ( credentialsRequestHeader , "credentialsRequestHeader must not be empty or null" ) ;
this . credentialsRequestHeader = credentialsRequestHeader ;
}
/ * *
* Defines whether an exception should be raised if the principal header is missing . Defaults to < tt > true < / tt > .
*
* @param exceptionIfHeaderMissing set to < tt > false < / tt > to override the default behaviour and allow
* the request to proceed if no header is found .
* /
public void setExceptionIfHeaderMissing ( boolean exceptionIfHeaderMissing ) {
this . exceptionIfHeaderMissing = exceptionIfMissingHeader ;
}
}
Luke Taylor
16 years ago