Announcement Announcement Module
Collapse
No announcement yet.
AJP13 and Pre-Authentication Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • AJP13 and Pre-Authentication

    hi
    I tried to configure the security relying on this documentation
    http://static.springsource.org/sprin...e/preauth.html

    I use Spring Security 3.0.5 and want to get a pre-authenticated user that authenticates on IIS with Kerberos. The IIS is linked to Tomcat with AJP13 protocol.

    IIS (does authentication) --> Tomcat (where I have to get the authenticated user probably from the header)

    However by printing the header content nothing there ...
    I tried to configure the security with siteminderFilter but no success.
    Am I on the right way ? (is siteminderFilter what I have to use here ?)

    thnx for your help

  • #2
    Originally posted by [email protected] View Post
    IIS (does authentication) --> Tomcat (where I have to get the authenticated user probably from the header)

    However by printing the header content nothing there ...
    Does the AJP documentation actually say anything about setting headers containing the username? I'd imagine the user identity would be made available through the standard servlet API getRemoteUser() method.

    Comment


    • #3
      hi
      thnx for the quick feed back
      my question is more on the way we have to handle pre-authentication in a webapp running under Tomcat (v6.0.x).
      the authentication is previously done somewhere else and ajp13 protocal is used to reach the tomcat.

      I m having a look at ajp13 just to checkhow headers are handled.

      Regards,

      Comment


      • #4
        hi
        this filter works fine for me
        PHP Code:
        public class BespokeRequestHeaderAuthenticationFilter extends RequestHeaderAuthenticationFilter {
            
            @
        Override
            
        protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
                
        System.out.println("############### request from user:"+request.getRemoteUser());
                return  
        request.getRemoteUser();
            }

        The one suggested by Spring Security doc is looking for "SM_USER" in the header attributes and didn't work for me.

        also my Tomcat's conf/server.xml contains, I disabled the port 8080 as the IIS server is doing the redirection:
        HTML Code:
            <!-- Define an AJP 1.3 Connector on port 8009 -->
            <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
        	requiredSecret="XXXX" tomcatAuthentication="false"/>
        Once I finish my wiring I ll post it here.
        thnx and Regards,

        Comment


        • #5
          Originally posted by [email protected] View Post
          The one suggested by Spring Security doc is looking for "SM_USER" in the header attributes and didn't work for me.
          The doc says:

          An external authentication system may supply information to the application by setting specific headers on the HTTP request. A well known example of this is Siteminder, which passes the username in a header called SM_USER. This mechanism is supported by the class RequestHeaderAuthenticationFilter which simply extracts the username from the header. It defaults to using the name SM_USER as the header name.
          So it's pretty clear that this only applies with Siteminder and request-header based authentication, neither of which are relevant for AJP.

          Comment


          • #6
            hi Luke
            yes I agree the documentation is clear but as I m not familiar with Siteminder I tried to follow same config.
            Now it's working on my side with the following config:

            - on Tomcat side the port 8080 is disabled, only the AJP13 is enabled, the config is, the tomcatAuthentication attribute is very important here else REMOTE_USER header will not be passed from the fromtal web server to Tomcat. :
            HTML Code:
                <!-- Define an AJP 1.3 Connector on port 8009 -->
                <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
            	requiredSecret="XXXX" tomcatAuthentication="false"/>
            Then on Spring Security side:

            HTML Code:
            	<security:http entry-point-ref="forbiddenAuthEntryPoint">
            		<security:intercept-url pattern="/**" access="ROLE_USER" />
            		<security:custom-filter position="PRE_AUTH_FILTER"
            			ref="myFilter" />
            	</security:http>
            
            	<!-- If the user is not authenticated error 403 -->
            	<bean id="forbiddenAuthEntryPoint"
            		class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
            
            	<!-- rely on a bespoke filter here-->
            	<bean id="myFilter"
            		class="com.mysite.impl.BespokeRequestHeaderAuthenticationFilter">
            		<property name="authenticationManager" ref="authenticationManager" />
            	</bean>
            
            	<bean id="preauthAuthProvider"
            		class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
            		<property name="preAuthenticatedUserDetailsService">
            			<bean id="userDetailsServiceWrapper"
            				class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            				<!-- rely on  ldapUserDetailsService for Granted Authorities-->
            				<property name="userDetailsService" ref="ldapUserDetailsService" />
            			</bean>
            		</property>
            	</bean>
            
            
            	<!-- ActiveDirectory LDAP config -->
            	
            	<!-- contextSource -->
            	<bean id="contextSource"
            		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
            		<constructor-arg value="ldap://myhost:389/dc=domain,dc=lan" />
            		<property name="userDn" value="CN=Administrator,CN=Users,DC=domain,DC=lan" />
            		<property name="password" value="XXXX" />
            	</bean>
            
            	<!-- userSearch -->
            	<bean id="userSearch"
            		class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
            		<constructor-arg index="0" value="CN=Users" />
            		<constructor-arg index="1" value="(sAMAccountName={0})" />
            		<constructor-arg index="2" ref="contextSource" />
            	</bean>
            
            	<!-- ldapAuthoritiesPopulator -->
            	<bean id="ldapAuthoritiesPopulator"
            		class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
            		<constructor-arg index="0" ref="contextSource" />
            		<constructor-arg index="1" value="OU=myGrantedAuthorities" />
            	</bean>
            	
            	<!-- ldapUserDetailsService -->
            	<bean id="ldapUserDetailsService"
            		class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
            		<constructor-arg index="0" ref="userSearch" />
            		<constructor-arg index="1" ref="ldapAuthoritiesPopulator" />
            	</bean>
            	<!-- end ActiveDirectory LDAP config -->
            
            
            	<security:authentication-manager alias="authenticationManager">
            		<security:authentication-provider
            			ref="preauthAuthProvider" />
            	</security:authentication-manager>

            In the wiring above I rely on the filter myFilter to get akready authenticated users and I rely on the ActiveDirectory LDAP to get the granted authorities.

            The filter is defined as:

            PHP Code:
            public class BespokeRequestHeaderAuthenticationFilter extends RequestHeaderAuthenticationFilter {

                @
            Override
                
            protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
                    
            //remote user shouldn't be null, make sure you have tomcatAuthentication="false" in your AJP13 config in the $TOMCAT_HOME/conf/server.xml
                    
            Assert.notNull(request.getRemoteUser(), "The remote user shouldn't be null, make sure you have tomcatAuthentication=\"false\" in your AJP13 config.");
                    
                    
            //we split here as the request.getRemoteUser() in Windows has the following pattern DOMAIN\\userLogin and we want to extract the userLogin
                    
            String[] remoteUserSplitted request.getRemoteUser().split("\\\\");
                    
            String principal =  remoteUserSplitted.length == remoteUserSplitted[1] : remoteUserSplitted[0];
                    
            logger.info("Request from user:"+principal);
                    return 
            principal;
                }

            Comment

            Working...
            X