AJP13 and Pre-Authentication

**tuxmobil@gmail.com** · Apr 18th, 2011, 04:48 AM

hi
I tried to configure the security relying on this documentation
http://static.springsource.org/sprin...e/preauth.html

I use Spring Security 3.0.5 and want to get a pre-authenticated user that authenticates on IIS with Kerberos. The IIS is linked to Tomcat with AJP13 protocol.

IIS (does authentication) --> Tomcat (where I have to get the authenticated user probably from the header)

However by printing the header content nothing there ...
I tried to configure the security with siteminderFilter but no success.
Am I on the right way ? (is siteminderFilter what I have to use here ?)

thnx for your help

**Luke Taylor** · Apr 18th, 2011, 09:25 AM

Originally Posted by tuxmobil@gmail.com

IIS (does authentication) --> Tomcat (where I have to get the authenticated user probably from the header)

However by printing the header content nothing there ...

Does the AJP documentation actually say anything about setting headers containing the username? I'd imagine the user identity would be made available through the standard servlet API getRemoteUser() method.

**tuxmobil@gmail.com** · Apr 18th, 2011, 09:33 PM

hi
thnx for the quick feed back
my question is more on the way we have to handle pre-authentication in a webapp running under Tomcat (v6.0.x).
the authentication is previously done somewhere else and ajp13 protocal is used to reach the tomcat.

I m having a look at ajp13 just to checkhow headers are handled.

Regards,

**tuxmobil@gmail.com** · Apr 19th, 2011, 04:20 AM

hi
this filter works fine for me

PHP Code:


public class BespokeRequestHeaderAuthenticationFilter extends RequestHeaderAuthenticationFilter {

    

    @Override

    protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {

        System.out.println("############### request from user:"+request.getRemoteUser());

        return  request.getRemoteUser();

    }

}

The one suggested by Spring Security doc is looking for "SM_USER" in the header attributes and didn't work for me.

also my Tomcat's conf/server.xml contains, I disabled the port 8080 as the IIS server is doing the redirection:

HTML Code:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
	requiredSecret="XXXX" tomcatAuthentication="false"/>

Once I finish my wiring I ll post it here.
thnx and Regards,

**Luke Taylor** · Apr 19th, 2011, 07:05 AM

Originally Posted by tuxmobil@gmail.com

The one suggested by Spring Security doc is looking for "SM_USER" in the header attributes and didn't work for me.

The doc says:

An external authentication system may supply information to the application by setting specific headers on the HTTP request. A well known example of this is Siteminder, which passes the username in a header called SM_USER. This mechanism is supported by the class RequestHeaderAuthenticationFilter which simply extracts the username from the header. It defaults to using the name SM_USER as the header name.

So it's pretty clear that this only applies with Siteminder and request-header based authentication, neither of which are relevant for AJP.

**tuxmobil@gmail.com** · Apr 19th, 2011, 09:06 PM

hi Luke
yes I agree the documentation is clear but as I m not familiar with Siteminder I tried to follow same config.
Now it's working on my side with the following config:

- on Tomcat side the port 8080 is disabled, only the AJP13 is enabled, the config is, the tomcatAuthentication attribute is very important here else REMOTE_USER header will not be passed from the fromtal web server to Tomcat. :

HTML Code:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" 
	requiredSecret="XXXX" tomcatAuthentication="false"/>

Then on Spring Security side:

HTML Code:

	<security:http entry-point-ref="forbiddenAuthEntryPoint">
		<security:intercept-url pattern="/**" access="ROLE_USER" />
		<security:custom-filter position="PRE_AUTH_FILTER"
			ref="myFilter" />
	</security:http>

	<!-- If the user is not authenticated error 403 -->
	<bean id="forbiddenAuthEntryPoint"
		class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

	<!-- rely on a bespoke filter here-->
	<bean id="myFilter"
		class="com.mysite.impl.BespokeRequestHeaderAuthenticationFilter">
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>

	<bean id="preauthAuthProvider"
		class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
		<property name="preAuthenticatedUserDetailsService">
			<bean id="userDetailsServiceWrapper"
				class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
				<!-- rely on  ldapUserDetailsService for Granted Authorities-->
				<property name="userDetailsService" ref="ldapUserDetailsService" />
			</bean>
		</property>
	</bean>


	<!-- ActiveDirectory LDAP config -->
	
	<!-- contextSource -->
	<bean id="contextSource"
		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
		<constructor-arg value="ldap://myhost:389/dc=domain,dc=lan" />
		<property name="userDn" value="CN=Administrator,CN=Users,DC=domain,DC=lan" />
		<property name="password" value="XXXX" />
	</bean>

	<!-- userSearch -->
	<bean id="userSearch"
		class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
		<constructor-arg index="0" value="CN=Users" />
		<constructor-arg index="1" value="(sAMAccountName={0})" />
		<constructor-arg index="2" ref="contextSource" />
	</bean>

	<!-- ldapAuthoritiesPopulator -->
	<bean id="ldapAuthoritiesPopulator"
		class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		<constructor-arg index="0" ref="contextSource" />
		<constructor-arg index="1" value="OU=myGrantedAuthorities" />
	</bean>
	
	<!-- ldapUserDetailsService -->
	<bean id="ldapUserDetailsService"
		class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
		<constructor-arg index="0" ref="userSearch" />
		<constructor-arg index="1" ref="ldapAuthoritiesPopulator" />
	</bean>
	<!-- end ActiveDirectory LDAP config -->


	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider
			ref="preauthAuthProvider" />
	</security:authentication-manager>

In the wiring above I rely on the filter myFilter to get akready authenticated users and I rely on the ActiveDirectory LDAP to get the granted authorities.

The filter is defined as:

PHP Code:


public class BespokeRequestHeaderAuthenticationFilter extends RequestHeaderAuthenticationFilter {



    @Override

    protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {

        //remote user shouldn't be null, make sure you have tomcatAuthentication="false" in your AJP13 config in the $TOMCAT_HOME/conf/server.xml

        Assert.notNull(request.getRemoteUser(), "The remote user shouldn't be null, make sure you have tomcatAuthentication=\"false\" in your AJP13 config.");

        

        //we split here as the request.getRemoteUser() in Windows has the following pattern DOMAIN\\userLogin and we want to extract the userLogin

        String[] remoteUserSplitted = request.getRemoteUser().split("\\\\");

        String principal =  remoteUserSplitted.length == 2 ? remoteUserSplitted[1] : remoteUserSplitted[0];

        logger.info("Request from user:"+principal);

        return principal;

    }

}

Thread: AJP13 and Pre-Authentication

Thread Tools

Display

AJP13 and Pre-Authentication

Posting Permissions