Pivotal Knowledge Base

Follow

Annotation-Based Configuration of Beans

Environment

 Product  Version
 Spring Framework  2.5, 3.0, 3.1

Overview

You may experience a situation where the user has been authenticated by a third-party authentication implementation. This article provides information on how this authentication information may be used and integrated by Spring Security authorization.

Description

The RequestHeaderPreAuthenticatedProcessingFilter in Spring Security captures the custom HTTP headers that are inserted into the request by the third party authentication provider. This method of implementation is demonstrated in the attached applicationContext-security.xml configuration script.

After implementing the RequestHeaderPreAuthenticatedProcessingFilter into the application, the integration is not completed. As the PreAuthenticatedAuthenticationProvider does not check for the custom header on every request, Spring Security is not aware of the logout event in the third party authentication provider. The user remains logged in with the application until the user explicitly logs out or the user session expires. This is despite the fact that the user has already logged out of the third party authentication system.

To change this behavior, the custom header should be checked for every incoming HTTP by implementing an additional filter (com.springsource.support.CustomRequestHeaderPreAuthenticatedProcessingFilter) in the Spring Security application context. This com.springsource.support.CustomRequestHeaderPreAuthenticatedProcessingFilter checks for the custom-header-key and manually invalidate the user session to have the value differ from the currently authenticated user. This is an excerpt of the implementation:

public class ClearTrustUserFilter extends SecurityContextHolderAwareRequestFilter {

        	private String principalRequestHeader = "custom-header-key";

        	public void setPrincipalRequestHeader(String principalRequestHeader) {
            	Assert.hasText(principalRequestHeader,"principalRequestHeader must not be empty or null");
            	this.principalRequestHeader = principalRequestHeader;
        	  }

        	@Override
        	public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
            	String user = request.getHeader(principalRequestHeader);

            	if (SecurityContextHolder.getContext().getAuthentication() != null) {
                	if (!SecurityContextHolder.getContext().getAuthentication().getName().equals(user)) {
                    	SecurityContextHolder.clearContext();
                        }
            	    }
            	filterChain.doFilter(request, response);
        	  }

        	@Override
        	public int getOrder() {
            	return FilterChainOrder.HTTP_SESSION_CONTEXT_FILTER;
        	  }
    	        } 

With this implementation, Spring Security automatically picks up when a user logs out in the external authentication system and logs in with a different credential.

Comments

Powered by Zendesk