Examples of RequestHeaderAuthenticationFilter

org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter
A simple pre-authenticated filter which obtains the username from a request header, for use with systems such as CA Siteminder.
As with most pre-authenticated scenarios, it is essential that the external authentication system is set up correctly as this filter does no authentication whatsoever. All the protection is assumed to be provided externally and if this filter is included inappropriately in a configuration, it would be possible to assume the identity of a user merely by setting the correct header name. This also means it should not generally be used in combination with other Spring Security authentication mechanisms such as form login, as this would imply there was a means of bypassing the external system which would be risky.
The property {@code principalRequestHeader} is the name of the request header that contains the username. Itdefaults to "SM_USER" for compatibility with Siteminder.
If the header is missing from the request, {@code getPreAuthenticatedPrincipal} will throw an exception. Youcan override this behaviour by setting the {@code exceptionIfHeaderMissing} property. @author Luke Taylor @since 2.0

Examples of org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter

    @Test(expected = PreAuthenticatedCredentialsNotFoundException.class)
    public void rejectsMissingHeader() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        MockHttpServletResponse response = new MockHttpServletResponse();
        MockFilterChain chain = new MockFilterChain();
        RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();


        filter.doFilter(request, response, chain);
    }

View Full Code Here

Examples of org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter

    public void defaultsToUsingSiteminderHeader() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.addHeader("SM_USER", "cat");
        MockHttpServletResponse response = new MockHttpServletResponse();
        MockFilterChain chain = new MockFilterChain();
        RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
        filter.setAuthenticationManager(createAuthenticationManager());


        filter.doFilter(request, response, chain);
        assertNotNull(SecurityContextHolder.getContext().getAuthentication());
        assertEquals("cat", SecurityContextHolder.getContext().getAuthentication().getName());
        assertEquals("N/A", SecurityContextHolder.getContext().getAuthentication().getCredentials());
    }

View Full Code Here

Examples of org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter

    public void alternativeHeaderNameIsSupported() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.addHeader("myUsernameHeader", "wolfman");
        MockHttpServletResponse response = new MockHttpServletResponse();
        MockFilterChain chain = new MockFilterChain();
        RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
        filter.setAuthenticationManager(createAuthenticationManager());
        filter.setPrincipalRequestHeader("myUsernameHeader");


        filter.doFilter(request, response, chain);
        assertNotNull(SecurityContextHolder.getContext().getAuthentication());
        assertEquals("wolfman", SecurityContextHolder.getContext().getAuthentication().getName());
    }

View Full Code Here

Examples of org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter

    @Test
    public void credentialsAreRetrievedIfHeaderNameIsSet() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        MockHttpServletResponse response = new MockHttpServletResponse();
        MockFilterChain chain = new MockFilterChain();
        RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
        filter.setAuthenticationManager(createAuthenticationManager());
        filter.setCredentialsRequestHeader("myCredentialsHeader");
        request.addHeader("SM_USER", "cat");
        request.addHeader("myCredentialsHeader", "catspassword");


        filter.doFilter(request, response, chain);
        assertNotNull(SecurityContextHolder.getContext().getAuthentication());
        assertEquals("catspassword", SecurityContextHolder.getContext().getAuthentication().getCredentials());
    }

View Full Code Here

Examples of org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter


    @Test
    public void userIsReauthenticatedIfPrincipalChangesAndCheckForPrincipalChangesIsSet() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        MockHttpServletResponse response = new MockHttpServletResponse();
        RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
        filter.setAuthenticationManager(createAuthenticationManager());
        filter.setCheckForPrincipalChanges(true);
        request.addHeader("SM_USER", "cat");
        filter.doFilter(request, response, new MockFilterChain());
        request = new MockHttpServletRequest();
        request.addHeader("SM_USER", "dog");
        filter.doFilter(request, response, new MockFilterChain());
        Authentication dog = SecurityContextHolder.getContext().getAuthentication();
        assertNotNull(dog);
        assertEquals("dog", dog.getName());
        // Make sure authentication doesn't occur every time (i.e. if the header *doesn't change)
        filter.setAuthenticationManager(mock(AuthenticationManager.class));
        filter.doFilter(request, response, new MockFilterChain());
        assertSame(dog, SecurityContextHolder.getContext().getAuthentication());
    }

View Full Code Here

Examples of org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter

    @Test(expected=PreAuthenticatedCredentialsNotFoundException.class)
    public void missingHeaderCausesException() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        MockHttpServletResponse response = new MockHttpServletResponse();
        MockFilterChain chain = new MockFilterChain();
        RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
        filter.setAuthenticationManager(createAuthenticationManager());


        filter.doFilter(request, response, chain);
    }

View Full Code Here

Examples of org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter

    @Test
    public void missingHeaderIsIgnoredIfExceptionIfHeaderMissingIsFalse() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        MockHttpServletResponse response = new MockHttpServletResponse();
        MockFilterChain chain = new MockFilterChain();
        RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
        filter.setExceptionIfHeaderMissing(false);
        filter.setAuthenticationManager(createAuthenticationManager());
        filter.doFilter(request, response, chain);
    }

View Full Code Here

TOP

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.