15

My app gets an AUTH_USER request header with username from Oracle Access Manager SSO. Spring Security "Additional Topics" 2.2.1 has an example of "PreAuth" that seems to be what I need, but not a full working example.

Snippets below are from docs/examples, not working annotation-based configuration.

Siteminder Example Configuration - using XML with a RequestHeaderAuthenticationFilter and PreAuthenticatedAuthenticationProvider and a UserDetailsService to lookup users.

How does this map to Java-based config?

<security:http>
  <!-- Additional http configuration omitted -->
  <security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>

<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
  <property name="principalRequestHeader" value="AUTH_USER"/>
  <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.    PreAuthenticatedAuthenticationProvider">
  <property name="preAuthenticatedUserDetailsService">
    <bean id="userDetailsServiceWrapper"
          class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
      <property name="userDetailsService" ref="userDetailsService"/>
    </bean>
  </property>
</bean>

<security:authentication-manager alias="authenticationManager">
   <security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>

The Spring Security preauth example has a completely different setup (the XML config is even more intimidating). No mention of the pre-auth filter or how to set the header name.

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/login","/resources/**").permitAll()
                .anyRequest().authenticated()
                .and()
            .jee()
                .mappableRoles("USER","ADMIN");
    }
}

The spring-boot-sample-web-secure extends WebMvcConfigurerAdapter instead of WebSecurityConfigurerAdapter, and just does basic form-based logins, no info on how to get userid from pre-auth AUTH_USER header.

public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {

... omitted...

    @Bean
    public ApplicationSecurity applicationSecurity() {
        return new ApplicationSecurity();
    }

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

        @Autowired
        private SecurityProperties security;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
                    .loginPage("/login").failureUrl("/login?error").permitAll();
        }
    }

}

I've read many references/articles but they do not seem to related to current code and Spring-boot, so stuck trying to understand how to configure the app pre-auth security.

xenteros
  • 15,586
  • 12
  • 56
  • 91
Tim
  • 702
  • 2
  • 6
  • 17
  • Explaining what behavior you are seeing would help a lot. That said, your description says you're getting AUTH_USER, but `principalRequestHeader`is set to "SM_USER". – Devon_C_Miller Oct 02 '14 at 01:13
  • Thanks, Devon. The behavior is that I cannot get Spring config via annotations to even succeed. The above are code snippets from the examples. The variations make it difficult to be sure what I should even be creating: ie. WebSecurytConfigurerAdapter or WebMvcConfigurerAdpater? When I try to configure a RequestHeaderAuthenticationFilter, it requires several nested beans like AuthenticationManager and AuthProvider and DetailsService, but the HttpSecurity http object also has methods to set the authprovider and details service, but of slightly different types. – Tim Oct 02 '14 at 16:29
  • Just watched [Spring Security 3.2 Webinar](http://spring.io/blog/2014/01/21/webinar-replay-spring-security-3-2) which helped a lot in understanding some of the annotations and configurations. Next up, I'm going to read the entire [Spring Security Reference](http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#preauth) – Tim Oct 04 '14 at 04:13
  • @Tim: Hello Time,did you figure it out or do you still need help on this ? If you already figured it out, then it would be nice if you could post the answer. Thanks ! – PavanSandeep Nov 03 '14 at 19:20
  • 1
    @Pavan - No, have been on other topics, and have not figured this out yet. Please up-vote it if you're interested! :-) – Tim Nov 04 '14 at 19:48
  • @Tim: I have created a working model. Pls look at my answer :) – PavanSandeep Nov 05 '14 at 17:15
  • @PavanSandeep - cool...where? (I don't see an answer here.) – Tim Nov 06 '14 at 18:49
  • 1
    @Tim: Can you now ? Anyways here is the URL https://github.com/sallampalli/codewiki/tree/master/springboot-security-preauth – PavanSandeep Nov 09 '14 at 17:44
  • @PavanSandeep - I do not see an answer here on SO, but I'll check out Github. Thanks for sharing! – Tim Nov 10 '14 at 21:53
  • Hi @PavanSandeep - I can package springboot-security-preauth, but first error was incorrect start-class, after changing to com.codewiki.springpreauth.config.Application, app runs... but fails to inject a missing UserDetailsService dependency into WebSecurityConfiguration. I'll create one, and see if I can get further, but would be great to discuss live. Email me. :-) – Tim Nov 12 '14 at 13:33
  • Hey @Tim - The UserDetailsServiceImpl class is the one that I put in there which implements the UserDetailsService provided by Spring. I see no reason that failing. Just make sure you have the right dependencies. Sure we can do that live. Thanks ! – PavanSandeep Nov 12 '14 at 14:51
  • @PavanSandeep - Sorry for the delay. I built and deployed as a Jar and as a War, but the server won't startup. Error traces back to: "No qualifying bean of type [com.codewiki.springpreauth.service.UserDetailsServiceImpl] found" -- even though I can see the UserDetailsServiceImpl class. – Tim Nov 22 '14 at 04:16
  • @Tim: Hey, sorry for responding late but just add this in your Application.java and you will be fine @ComponentScan(basePackages={"com.codewiki.springpreauth"}) – PavanSandeep Nov 28 '14 at 07:42
  • @PavanSandeep - (delay due to holiday, sorry) Great catch on the component scan! That and a few minor tweaks made it run with the embedded Tomcat Jar (added dependency for tomcat-embed-jasper in POM, fixed logout link, and deleted sessions on logout). You should submit the link to the code as your answer and I'll mark it correct. :-) – Tim Dec 02 '14 at 17:31

1 Answers1

3

This is my way to configure pre-auth security based on injected userService:

@Configuration
@EnableWebSecurity
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true, securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    private static final Logger LOG = Logger.getLogger(ApplicationSecurity.class.getName());

    @Autowired
    private UserService userService; // implements AuthenticationUserDetailsService...

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        LOG.info("configure autentication provider with custom userService");
        PreAuthenticatedAuthenticationProvider paaProvider = new PreAuthenticatedAuthenticationProvider();
        paaProvider.setPreAuthenticatedUserDetailsService(userService);
        auth.authenticationProvider(paaProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        LOG.info("configure autentication filter");
        // ...
    }

}
kinjelom
  • 6,105
  • 3
  • 35
  • 61