Announcement Announcement Module
Collapse
No announcement yet.
Spring security and Siteminder Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring security and Siteminder

    Hi,
    We use siteminder at our place and we don't use Spring.
    W have a requirement to integrate with siteminder and I think its a good opportunity to start with spring security and incrementally integrate Spring into our App.

    I looked at acegisecurity.org and found a SitemInderFilter class in their javadoc. But I notice that this particular filter class is missing in the spring security javadoc.

    So what should I be using - Spring security / acegi security?
    or both as I need the SiteMinderFilter class?

    thanks,
    Karthik

  • #2
    The siteminder filter's only job was really to pull out the username from a specified header and load the information for that user. There's a filter called "RequestHeaderPreAuthenticatedProcessingFilter " which has this role now.

    Comment


    • #3
      Siteminder

      Hey Luke,

      What about pulling role information? We have some role information that is place in our header by siteminder and would like to turn that into the GrantedAuthorities that the logged in user has.

      Not really seeing an easy way to do this off the bat.

      Thanks,

      Bryan

      Comment


      • #4
        There's no functionality built in to do this. I haven't used Siteminder, so don't know how it goes about supplying this information, but if it's available from the request, it should be straightforward enough to extract using the pre-authentication code.

        Comment


        • #5
          Hello,

          Luke, what do you mean by "the pre-authentication code" ?
          I am also trying to get roles from request header written by Siteminder and am not succeeding.

          I have extended preauth filter but in overridden doFilter the authentication object does not exist. I have tried the built-in j2ee classes (j2eeMappableRolesRetriever and others from pre-auth sample) which force to read roles from web.xml and I get a jaxen exception at boot.
          By the way tried to deploy the pre-auth sample to my weblogic and got the same exception at boot.

          Thanks to anyone who can help.
          Last edited by bilbonotry; Jan 21st, 2009, 08:22 AM. Reason: added details

          Comment


          • #6
            OK I finally did it.
            I had to extend the pre-auth filter to do the workaround, UserDetails and implements Authentication

            Here it is :

            Code:
            <beans:bean id="preauthAuthProvider"
            		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
            		<security:custom-authentication-provider />
            		<beans:property name="preAuthenticatedUserDetailsService">
            		<beans:bean id="userDetailsServiceWrapper" 
            		class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
            		<beans:property name="userDetailsService" ref="userDetailsService"/>
            		</beans:bean>
            		</beans:property>		
            		</beans:bean>
            		<beans:bean id="siteMinderFilter"
            		class="toto.tata.SiteMinderFilter">
            		<security:custom-filter position="PRE_AUTH_FILTER" />
            		<beans:property name="principalRequestHeader"
            		value="SM_USER" />
                           <beans:property name="rolesRequestHeader"
            		value="SM_ROLES" />
            		<beans:property name="rolesDelimiter"
            		value=";" />
            <!-- other request headers names can be inserted here -->		
            		<beans:property name="authenticationManager"
            		ref="authenticationManager" />
            		</beans:bean>
            		<security:authentication-manager alias="authenticationManager" />
            		<beans:bean id="userDetailsService"
            		class="toto.tata.SiteMinderUserDetailsService" />
            SiteMinderFilter.java :

            Code:
            [...]
            //not sure if required
                    public SiteMinderFilter(String pPrincipalRequestHeader) {
            		super();
            		super.setPrincipalRequestHeader(pPrincipalRequestHeader);
            	}
            
            	public void doFilterHttp(HttpServletRequest request,
            			HttpServletResponse response, FilterChain filterChain)
            			throws IOException, ServletException {
            		// get roles
            		String roles = (String) request.getHeader(getRolesRequestHeader());
            		String[] rolesArray = roles.split(this.getRolesDelimiter());
            
            		// put roles in GrantedAuthority[]
            		Collection<GrantedAuthorityImpl> container = new ArrayList<GrantedAuthorityImpl>();
            		for (String s : rolesArray) {
            			container.add(new GrantedAuthorityImpl(s));
            		}
            		GrantedAuthority[] gAuth = (GrantedAuthority[]) container
            				.toArray(new GrantedAuthority[container.size()]);
            
            		// create user details
            		SiteMinderUserDetails userDetails = new SiteMinderUserDetails();
            		userDetails.setUsername((String) super
            				.getPreAuthenticatedPrincipal(request));
            		userDetails.setAuthorities(gAuth);
            		
            		// forge our own Authentication object
            		AuthenticationImpl authentication = new AuthenticationImpl();
            		authentication.setAuthenticated(true);
            		authentication.setAuthorities(gAuth);
            		authentication.setPrincipal(userDetails);
            		authentication.setCredentials(super
            				.getPreAuthenticatedCredentials(request));
            		SecurityContextHolder.getContext().setAuthentication(authentication);
            
            		super.doFilterHttp(request, response, filterChain);
            
            	}
            UserDetails is just a box to put your user data and Authentication just has the attributes and getters required by the interface.

            Hope this helps someone.

            Comment


            • #7
              Can your solution work for me?

              I'm having issues and I hope I can understand your solution and get it to work for me.

              One thing is confusing me as I look over your code. Your implementation of SiteMinderFilter is creating its own UserDetails object. Why then do you need to declare a SiteMinderUserDetailsService? What does this service do?

              Comment


              • #8
                Here is my UserDetailsService. I think the point was to have both pre-authenticated and classical user details service features :

                PHP Code:
                public class SiteMinderUserDetailsService extends PreAuthenticatedGrantedAuthoritiesUserDetailsService implements UserDetailsService {

                    
                /*
                     * (non-Javadoc)
                     * 
                     * @see org.springframework.security.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)
                     */
                    
                public UserDetails loadUserByUsername(String pArg0)
                            
                throws UsernameNotFoundExceptionDataAccessException {

                        
                SiteMinderUserDetails userDetails = new SiteMinderUserDetails();
                        
                userDetails.setUsername(pArg0);

                        return 
                userDetails;
                    }

                    
                /* (non-Javadoc)
                     * @see org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService#createuserDetails(org.springframework.security.Authentication, org.springframework.security.GrantedAuthority[])
                     */
                    
                @Override
                    
                protected UserDetails createuserDetails(Authentication pTokenGrantedAuthority[] pAuthorities) {
                        
                // TODO Raccord de méthode auto-généré
                        
                return super.createuserDetails(pTokenpAuthorities);
                    }


                Extending UserDetails was mandatory to put user extra information I needed.

                Comment


                • #9
                  Thanks

                  I spend some serious time implementing your SiteMinderFilter. It turns out it's not precisely what I want, but going through the exercise definitely helped me understand what was going on and also what I could do to fix it.

                  Thank you.

                  Comment

                  Working...
                  X