Hi,
We use siteminder at our place and we don't use Spring.
W have a requirement to integrate with siteminder and I think its a good opportunity to start with spring security and incrementally integrate Spring into our App.

I looked at acegisecurity.org and found a SitemInderFilter class in their javadoc. But I notice that this particular filter class is missing in the spring security javadoc.

So what should I be using - Spring security / acegi security?
or both as I need the SiteMinderFilter class?

thanks,
Karthik

The siteminder filter's only job was really to pull out the username from a specified header and load the information for that user. There's a filter called "RequestHeaderPreAuthenticatedProcessingFilter" which has this role now.

Hey Luke,

What about pulling role information? We have some role information that is place in our header by siteminder and would like to turn that into the GrantedAuthorities that the logged in user has.

Not really seeing an easy way to do this off the bat.

Thanks,

Bryan

There's no functionality built in to do this. I haven't used Siteminder, so don't know how it goes about supplying this information, but if it's available from the request, it should be straightforward enough to extract using the pre-authentication code.

Hello,

Luke, what do you mean by "the pre-authentication code" ?
I am also trying to get roles from request header written by Siteminder and am not succeeding.

I have extended preauth filter but in overridden doFilter the authentication object does not exist. I have tried the built-in j2ee classes (j2eeMappableRolesRetriever and others from pre-auth sample) which force to read roles from web.xml and I get a jaxen exception at boot.
By the way tried to deploy the pre-auth sample to my weblogic and got the same exception at boot.

Thanks to anyone who can help.

OK I finally did it.
I had to extend the pre-auth filter to do the workaround, UserDetails and implements Authentication

Here it is :



<beans:bean id="preauthAuthProvider"
class="org.springframework.security.providers.preauth.Pre AuthenticatedAuthenticationProvider">
<security:custom-authentication-provider />
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.userdetails.UserDetai lsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="siteMinderFilter"
class="toto.tata.SiteMinderFilter">
<security:custom-filter position="PRE_AUTH_FILTER" />
<beans:property name="principalRequestHeader"
value="SM_USER" />
<beans:property name="rolesRequestHeader"
value="SM_ROLES" />
<beans:property name="rolesDelimiter"
value=";" />
<!-- other request headers names can be inserted here -->
<beans:property name="authenticationManager"
ref="authenticationManager" />
</beans:bean>
<security:authentication-manager alias="authenticationManager" />
<beans:bean id="userDetailsService"
class="toto.tata.SiteMinderUserDetailsService" />


SiteMinderFilter.java :



[...]
//not sure if required
public SiteMinderFilter(String pPrincipalRequestHeader) {
super();
super.setPrincipalRequestHeader(pPrincipalRequestH eader);
}

public void doFilterHttp(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
// get roles
String roles = (String) request.getHeader(getRolesRequestHeader());
String[] rolesArray = roles.split(this.getRolesDelimiter());

// put roles in GrantedAuthority[]
Collection<GrantedAuthorityImpl> container = new ArrayList<GrantedAuthorityImpl>();
for (String s : rolesArray) {
container.add(new GrantedAuthorityImpl(s));
}
GrantedAuthority[] gAuth = (GrantedAuthority[]) container
.toArray(new GrantedAuthority[container.size()]);

// create user details
SiteMinderUserDetails userDetails = new SiteMinderUserDetails();
userDetails.setUsername((String) super
.getPreAuthenticatedPrincipal(request));
userDetails.setAuthorities(gAuth);

// forge our own Authentication object
AuthenticationImpl authentication = new AuthenticationImpl();
authentication.setAuthenticated(true);
authentication.setAuthorities(gAuth);
authentication.setPrincipal(userDetails);
authentication.setCredentials(super
.getPreAuthenticatedCredentials(request));
SecurityContextHolder.getContext().setAuthenticati on(authentication);

super.doFilterHttp(request, response, filterChain);

}


UserDetails is just a box to put your user data and Authentication just has the attributes and getters required by the interface.

Hope this helps someone.

I'm having issues and I hope I can understand your solution and get it to work for me.

One thing is confusing me as I look over your code. Your implementation of SiteMinderFilter is creating its own UserDetails object. Why then do you need to declare a SiteMinderUserDetailsService? What does this service do?

Here is my UserDetailsService. I think the point was to have both pre-authenticated and classical user details service features :


public class SiteMinderUserDetailsService extends PreAuthenticatedGrantedAuthoritiesUserDetailsServi ce implements UserDetailsService {

/*
* (non-Javadoc)
*
* @see org.springframework.security.userdetails.UserDetai lsService#loadUserByUsername(java.lang.String)
*/
public UserDetails loadUserByUsername(String pArg0)
throws UsernameNotFoundException, DataAccessException {

SiteMinderUserDetails userDetails = new SiteMinderUserDetails();
userDetails.setUsername(pArg0);

return userDetails;
}

/* (non-Javadoc)
* @see org.springframework.security.providers.preauth.Pre AuthenticatedGrantedAuthoritiesUserDetailsService# createuserDetails(org.springframework.security.Aut hentication, org.springframework.security.GrantedAuthority[])
*/
@Override
protected UserDetails createuserDetails(Authentication pToken, GrantedAuthority[] pAuthorities) {
// TODO Raccord de méthode auto-généré
return super.createuserDetails(pToken, pAuthorities);
}

}

Extending UserDetails was mandatory to put user extra information I needed.

I spend some serious time implementing your SiteMinderFilter. It turns out it's not precisely what I want, but going through the exercise definitely helped me understand what was going on and also what I could do to fix it.

Thank you.