Help needed - Spring 3.0.x security + SiteMinder Integration

[kelkarp]

Our project is planning to use authentication mechanism which would be provided by Siteminder. When login page is displayed to user the username and password would be Authenticated by Siteminder and Authorization will be done by Spring Security. I have gone through the reference guide and found following configuration can be used:

<security:http>
<!-- Additional http configuration omitted -->
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>

<bean id="siteminderFilter" class=
"org.springframework.security.web.authentication.p reauth.header.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetai ls.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security-authentication-manager>

It is also mentioned - "It's also assumed that you have added a UserDetailsService (called “userDetailsService”) to your configuration to load the user's roles."

I am not quite clear about this userDetailsService bean. Can someone please provide extra information for this. Which interface should this bean implement ? Does it need to load authorization data for the user ?

Thanks in advance...

[Luke Taylor]

It's referring to this part:

Code:

<property name="userDetailsService" ref="userDetailsService"/>

since there is no "userDetailsService" bean in the snippet. The UserDetailsService is covered elsewhere in the manual. Just do an incremental search on the single-page version.

[kelkarp]

Hi Luke,

Sorry, but I still don't understand how to implement the userDetailsService bean. Please can you provide me with any sample configuration that you may have used. For time being, I just want to confirm if the user has been authenticated correctly through Siteminder. I don't want to implement Authorization for the moment. Is there a way to do this ?

Please let me know if you require more information on this.
Thanks in advance ... sorry for my lack of knowledge

[Rob Winch]

As Luke mentioned there is information about the UserDetailsService and the provided implementations in the reference. If you are just playing around right now, the In-Memory Authentication section will likely work well for you. If you are looking for full examples, you can refer to the samples.

[kelkarp]

I am using Spring Security 3.0. What I want to implement is that the user should be shown a login page (part of our webapp) where he enter his username and password. On clicking submit the request will travel to Siteminder web agent to be authenticated. On succesful authentication the username appended would be added in the header with key 'SM_USER'. Once request comes back to our webapp we let Spring take care of authorization. So in short, want to implement Authentication by Siteminder and Authorization by Spring Security.

My web.xml is as follows:

<!-- Security Configuration -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


My security-config.xml is as follows.

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http auto-config='true'>
<intercept-url pattern="/index.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/WEB-INF/login/login.jsp*" filters="none" />
<intercept-url pattern="/flex/tsm/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_DEALER" />
<form-login login-page='/WEB-INF/login/login.jsp' default-target-url='/spring/home'
always-use-default-target="false" />
<http-basic />
<session-management invalid-session-url="/spring/home" />
<logout logout-success-url="/logout.jsp" invalidate-session="true" />
<custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</http>

<!-- Siteminder configuration Begin-->
<beans:bean id="siteminderFilter"
class="org.springframework.security.web.authentica tion.preauth.RequestHeaderAuthenticationFilter">
<beans: property name="principalRequestHeader" value="SM_USER" />
<beans: property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<authentication-manager alias="authenticationManager">
<authentication-provider ref="gtwPreAuthenticationProvider"/>
</authentication-manager>

<beans:bean id="gtwPreAuthenticationProvider"
class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
<beans: property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetai ls.UserDetailsByNameServiceWrapper">
<beans: property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
</beans: property>
</beans:bean>

<beans:bean id="userDetailsService"
class="com.MY.gtw.common.authentication.gtwUserDet ailsService" />
<!-- Siteminder configuration End -->

</beans:beans>

When I try to access the login.jsp using URL - http://localhost:8080/gtw/login/login.jsp , I get the following exception:

Mar 9, 2011 9:31:13 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet jsp threw exception
org.springframework.security.web.authentication.pr eauth.PreAuthenticatedCredentialsNotFoundException : SM_USER header not found in request.
at org.springframework.security.web.authentication.pr eauth.RequestHeaderAuthenticationFilter.getPreAuth enticatedPrincipal(RequestHeaderAuthenticationFilt er.java:43)
at org.springframework.security.web.authentication.pr eauth.AbstractPreAuthenticatedProcessingFilter.doA uthenticate(AbstractPreAuthenticatedProcessingFilt er.java:98)
at org.springframework.security.web.authentication.pr eauth.AbstractPreAuthenticatedProcessingFilter.doF ilter(AbstractPreAuthenticatedProcessingFilter.jav a:86)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.web.filter.RequestContextFilte r.doFilterInternal(RequestContextFilter.java:83)
at org.springframework.web.filter.OncePerRequestFilte r.doFilter(OncePerRequestFilter.java:76)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:595)


I am using the following jars:

spring-security-config-3.0.3.RELEASE.jar
spring-security-core-3.0.3.RELEASE.jar
spring-security-web-3.0.3.RELEASE

Am I missing some jars or some configuration tags in security-config.xml or web.xml?

Please help me ...

Thanks in advance ...

[Rob Winch]

Please do not post the same question numerous times. I have responded in the original thread.

[kelkarp]

Sorry to have posted it twice ... my mistake .