Announcement Announcement Module
No announcement yet.
Help needed - Spring 3.0.x security + SiteMinder Integration Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help needed - Spring 3.0.x security + SiteMinder Integration

    Our project is planning to use authentication mechanism which would be provided by Siteminder. When login page is displayed to user the username and password would be Authenticated by Siteminder and Authorization will be done by Spring Security. I have gone through the reference guide and found following configuration can be used:

    <!-- Additional http configuration omitted -->
    <security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />

    <bean id="siteminderFilter" class=
    " reauth.header.RequestHeaderAuthenticationFilter">
    <property name="principalRequestHeader" value="SM_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />

    <bean id="preauthAuthProvider"
    class=" tion.preauth.PreAuthenticatedAuthenticationProvide r">
    <property name="preAuthenticatedUserDetailsService">
    <bean id="userDetailsServiceWrapper"
    class=" ls.UserDetailsByNameServiceWrapper">
    <property name="userDetailsService" ref="userDetailsService"/>

    <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />

    It is also mentioned - "It's also assumed that you have added a UserDetailsService (called “userDetailsService”) to your configuration to load the user's roles."

    I am not quite clear about this userDetailsService bean. Can someone please provide extra information for this. Which interface should this bean implement ? Does it need to load authorization data for the user ?

    Thanks in advance...

  • #2
    It's referring to this part:

    <property name="userDetailsService" ref="userDetailsService"/>
    since there is no "userDetailsService" bean in the snippet. The UserDetailsService is covered elsewhere in the manual. Just do an incremental search on the single-page version.


    • #3
      Hi Luke,

      Sorry, but I still don't understand how to implement the userDetailsService bean. Please can you provide me with any sample configuration that you may have used. For time being, I just want to confirm if the user has been authenticated correctly through Siteminder. I don't want to implement Authorization for the moment. Is there a way to do this ?

      Please let me know if you require more information on this.
      Thanks in advance ... sorry for my lack of knowledge


      • #4
        As Luke mentioned there is information about the UserDetailsService and the provided implementations in the reference. If you are just playing around right now, the In-Memory Authentication section will likely work well for you. If you are looking for full examples, you can refer to the samples.


        • #5
          I am using Spring Security 3.0. What I want to implement is that the user should be shown a login page (part of our webapp) where he enter his username and password. On clicking submit the request will travel to Siteminder web agent to be authenticated. On succesful authentication the username appended would be added in the header with key 'SM_USER'. Once request comes back to our webapp we let Spring take care of authorization. So in short, want to implement Authentication by Siteminder and Authorization by Spring Security.

          My web.xml is as follows:

          <!-- Security Configuration -->
          <filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>


          My security-config.xml is as follows.

          <beans:beans xmlns=""
          xmlns:beans="" xmlns:xsi=""

          <http auto-config='true'>
          <intercept-url pattern="/index.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
          <intercept-url pattern="/WEB-INF/login/login.jsp*" filters="none" />
          <intercept-url pattern="/flex/tsm/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
          <intercept-url pattern="/**" access="ROLE_DEALER" />
          <form-login login-page='/WEB-INF/login/login.jsp' default-target-url='/spring/home'
          always-use-default-target="false" />
          <http-basic />
          <session-management invalid-session-url="/spring/home" />
          <logout logout-success-url="/logout.jsp" invalidate-session="true" />
          <custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />

          <!-- Siteminder configuration Begin-->
          <beans:bean id="siteminderFilter"
          class=" tion.preauth.RequestHeaderAuthenticationFilter">
          <beans: property name="principalRequestHeader" value="SM_USER" />
          <beans: property name="authenticationManager" ref="authenticationManager" />

          <authentication-manager alias="authenticationManager">
          <authentication-provider ref="gtwPreAuthenticationProvider"/>

          <beans:bean id="gtwPreAuthenticationProvider"
          class=" tion.preauth.PreAuthenticatedAuthenticationProvide r">
          <beans: property name="preAuthenticatedUserDetailsService">
          <beans:bean id="userDetailsServiceWrapper"
          class=" ls.UserDetailsByNameServiceWrapper">
          <beans: property name="userDetailsService" ref="userDetailsService" />
          </beans: property>

          <beans:bean id="userDetailsService"
          class="com.MY.gtw.common.authentication.gtwUserDet ailsService" />
          <!-- Siteminder configuration End -->


          When I try to access the login.jsp using URL - http://localhost:8080/gtw/login/login.jsp , I get the following exception:

          Mar 9, 2011 9:31:13 AM org.apache.catalina.core.StandardWrapperValve invoke
          SEVERE: Servlet.service() for servlet jsp threw exception
 eauth.PreAuthenticatedCredentialsNotFoundException : SM_USER header not found in request.
          at eauth.RequestHeaderAuthenticationFilter.getPreAuth enticatedPrincipal(RequestHeaderAuthenticationFilt
          at eauth.AbstractPreAuthenticatedProcessingFilter.doA uthenticate(AbstractPreAuthenticatedProcessingFilt
          at eauth.AbstractPreAuthenticatedProcessingFilter.doF ilter(AbstractPreAuthenticatedProcessingFilter.jav a:86)
          at$ VirtualFilterChain.doFilter( 355)
          at gout.LogoutFilter.doFilter(
          at$ VirtualFilterChain.doFilter( 355)
          at ontextPersistenceFilter.doFilter(SecurityContextPe
          at$ VirtualFilterChain.doFilter( 355)
          at org.springframework.web.filter.RequestContextFilte r.doFilterInternal(
          at org.springframework.web.filter.OncePerRequestFilte r.doFilter(
          at$ VirtualFilterChain.doFilter( 355)
          at doFilter(
          at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(
          at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(
          at ternalDoFilter(
          at Filter(
          at org.apache.catalina.core.StandardWrapperValve.invo ke(
          at org.apache.catalina.core.StandardContextValve.invo ke(
          at org.apache.catalina.core.StandardHostValve.invoke(
          at org.apache.catalina.valves.ErrorReportValve.invoke (
          at org.apache.catalina.core.StandardEngineValve.invok e(
          at org.apache.catalina.connector.CoyoteAdapter.servic e(
          at org.apache.coyote.http11.Http11Processor.process(H
          at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.process(

          I am using the following jars:


          Am I missing some jars or some configuration tags in security-config.xml or web.xml?

          Please help me ...

          Thanks in advance ...


          • #6
            Please do not post the same question numerous times. I have responded in the original thread.


            • #7
              Sorry to have posted it twice ... my mistake .