You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
150 lines
9.3 KiB
150 lines
9.3 KiB
[[servlet-preauth]] |
|
= Pre-Authentication Scenarios |
|
There are situations where you want to use Spring Security for authorization, but the user has already been reliably authenticated by some external system prior to accessing the application. |
|
We refer to these situations as "pre-authenticated" scenarios. |
|
Examples include X.509, Siteminder and authentication by the Java EE container in which the application is running. |
|
When using pre-authentication, Spring Security has to |
|
|
|
* Identify the user making the request. |
|
|
|
* Obtain the authorities for the user. |
|
|
|
|
|
The details will depend on the external authentication mechanism. |
|
A user might be identified by their certificate information in the case of X.509, or by an HTTP request header in the case of Siteminder. |
|
If relying on container authentication, the user will be identified by calling the `getUserPrincipal()` method on the incoming HTTP request. |
|
In some cases, the external mechanism may supply role/authority information for the user but in others the authorities must be obtained from a separate source, such as a `UserDetailsService`. |
|
|
|
|
|
== Pre-Authentication Framework Classes |
|
Because most pre-authentication mechanisms follow the same pattern, Spring Security has a set of classes which provide an internal framework for implementing pre-authenticated authentication providers. |
|
This removes duplication and allows new implementations to be added in a structured fashion, without having to write everything from scratch. |
|
You don't need to know about these classes if you want to use something like xref:servlet/authentication/x509.adoc#servlet-x509[X.509 authentication], as it already has a namespace configuration option which is simpler to use and get started with. |
|
If you need to use explicit bean configuration or are planning on writing your own implementation then an understanding of how the provided implementations work will be useful. |
|
You will find classes under the `org.springframework.security.web.authentication.preauth`. |
|
We just provide an outline here so you should consult the Javadoc and source where appropriate. |
|
|
|
|
|
=== AbstractPreAuthenticatedProcessingFilter |
|
This class will check the current contents of the security context and, if empty, it will attempt to extract user information from the HTTP request and submit it to the `AuthenticationManager`. |
|
Subclasses override the following methods to obtain this information: |
|
|
|
.Override AbstractPreAuthenticatedProcessingFilter |
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest request); |
|
|
|
protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest request); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
protected abstract fun getPreAuthenticatedPrincipal(request: HttpServletRequest): Any? |
|
|
|
protected abstract fun getPreAuthenticatedCredentials(request: HttpServletRequest): Any? |
|
---- |
|
==== |
|
|
|
|
|
After calling these, the filter will create a `PreAuthenticatedAuthenticationToken` containing the returned data and submit it for authentication. |
|
By "authentication" here, we really just mean further processing to perhaps load the user's authorities, but the standard Spring Security authentication architecture is followed. |
|
|
|
Like other Spring Security authentication filters, the pre-authentication filter has an `authenticationDetailsSource` property which by default will create a `WebAuthenticationDetails` object to store additional information such as the session-identifier and originating IP address in the `details` property of the `Authentication` object. |
|
In cases where user role information can be obtained from the pre-authentication mechanism, the data is also stored in this property, with the details implementing the `GrantedAuthoritiesContainer` interface. |
|
This enables the authentication provider to read the authorities which were externally allocated to the user. |
|
We'll look at a concrete example next. |
|
|
|
|
|
[[j2ee-preauth-details]] |
|
==== J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource |
|
If the filter is configured with an `authenticationDetailsSource` which is an instance of this class, the authority information is obtained by calling the `isUserInRole(String role)` method for each of a pre-determined set of "mappable roles". |
|
The class gets these from a configured `MappableAttributesRetriever`. |
|
Possible implementations include hard-coding a list in the application context and reading the role information from the `<security-role>` information in a `web.xml` file. |
|
The pre-authentication sample application uses the latter approach. |
|
|
|
There is an additional stage where the roles (or attributes) are mapped to Spring Security `GrantedAuthority` objects using a configured `Attributes2GrantedAuthoritiesMapper`. |
|
The default will just add the usual `ROLE_` prefix to the names, but it gives you full control over the behaviour. |
|
|
|
|
|
=== PreAuthenticatedAuthenticationProvider |
|
The pre-authenticated provider has little more to do than load the `UserDetails` object for the user. |
|
It does this by delegating to an `AuthenticationUserDetailsService`. |
|
The latter is similar to the standard `UserDetailsService` but takes an `Authentication` object rather than just user name: |
|
|
|
[source,java] |
|
---- |
|
public interface AuthenticationUserDetailsService { |
|
UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException; |
|
} |
|
---- |
|
|
|
This interface may have also other uses but with pre-authentication it allows access to the authorities which were packaged in the `Authentication` object, as we saw in the previous section. |
|
The `PreAuthenticatedGrantedAuthoritiesUserDetailsService` class does this. |
|
Alternatively, it may delegate to a standard `UserDetailsService` via the `UserDetailsByNameServiceWrapper` implementation. |
|
|
|
=== Http403ForbiddenEntryPoint |
|
The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationentrypoint[`AuthenticationEntryPoint`] is responsible for kick-starting the authentication process for an unauthenticated user (when they try to access a protected resource), but in the pre-authenticated case this doesn't apply. |
|
You would only configure the `ExceptionTranslationFilter` with an instance of this class if you aren't using pre-authentication in combination with other authentication mechanisms. |
|
It will be called if the user is rejected by the `AbstractPreAuthenticatedProcessingFilter` resulting in a null authentication. |
|
It always returns a `403`-forbidden response code if called. |
|
|
|
|
|
== Concrete Implementations |
|
X.509 authentication is covered in its xref:servlet/authentication/x509.adoc#servlet-x509[own chapter]. |
|
Here we'll look at some classes which provide support for other pre-authenticated scenarios. |
|
|
|
|
|
=== Request-Header Authentication (Siteminder) |
|
An external authentication system may supply information to the application by setting specific headers on the HTTP request. |
|
A well-known example of this is Siteminder, which passes the username in a header called `SM_USER`. |
|
This mechanism is supported by the class `RequestHeaderAuthenticationFilter` which simply extracts the username from the header. |
|
It defaults to using the name `SM_USER` as the header name. |
|
See the Javadoc for more details. |
|
|
|
[TIP] |
|
==== |
|
Note that when using a system like this, the framework performs no authentication checks at all and it is __extremely__ important that the external system is configured properly and protects all access to the application. |
|
If an attacker is able to forge the headers in their original request without this being detected then they could potentially choose any username they wished. |
|
==== |
|
|
|
==== Siteminder Example Configuration |
|
A typical configuration using this filter would look like this: |
|
|
|
[source,xml] |
|
---- |
|
<security:http> |
|
<!-- Additional http configuration omitted --> |
|
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" /> |
|
</security:http> |
|
|
|
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"> |
|
<property name="principalRequestHeader" value="SM_USER"/> |
|
<property name="authenticationManager" ref="authenticationManager" /> |
|
</bean> |
|
|
|
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> |
|
<property name="preAuthenticatedUserDetailsService"> |
|
<bean id="userDetailsServiceWrapper" |
|
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> |
|
<property name="userDetailsService" ref="userDetailsService"/> |
|
</bean> |
|
</property> |
|
</bean> |
|
|
|
<security:authentication-manager alias="authenticationManager"> |
|
<security:authentication-provider ref="preauthAuthProvider" /> |
|
</security:authentication-manager> |
|
---- |
|
|
|
We've assumed here that the xref:servlet/namespace/index.adoc#ns-config[security namespace] is being used for configuration. |
|
It's also assumed that you have added a `UserDetailsService` (called "userDetailsService") to your configuration to load the user's roles. |
|
|
|
|
|
=== Java EE Container Authentication |
|
The class `J2eePreAuthenticatedProcessingFilter` will extract the username from the `userPrincipal` property of the `HttpServletRequest`. |
|
Use of this filter would usually be combined with the use of Java EE roles as described above in <<j2ee-preauth-details>>. |
|
|
|
There is a {gh-old-samples-url}/xml/preauth[sample application] in the samples project which uses this approach, so get hold of the code from GitHub and have a look at the application context file if you are interested.
|
|
|