I'm trying to implement Spring Security into my application. I'm working with 3.1.3.RELEASE. Our site uses Siteminder so I've configured it with the RequestHeaderAuthenticationFilter.

Code:
<security:http use-expressions="true" entry-point-ref="http403EntryPoint">
	<security:intercept-url pattern="/**" access="isAuthenticated()" />	
	<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>

<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
		<property name="principalRequestHeader" value="Host" />
		<property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
	<property name="preAuthenticatedUserDetailsService">
		<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
			<property name="userDetailsService" ref="userDetailsService" />
		</bean>
	</property>
</bean>

<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

<bean id="userDetailsService" class="com.mycompany.security.MyUserDetailsService" />
Since my local machine is not set up with Siteminder, I set the principalRequestHeader to 'Host' just to confirm that it's configured going to my UserDetailsService to get the user information.

I've hard coded a single user in my UserDetailsService to confirm that the jsp taglibs and @PreAuthorize annotations are working correctly.

Now I'd like to update my userDetailsService to get the UserDetails from the database depending on what the username is instead of hard coding.

Is there something I can do to swap out the RequestHeaderAuthentcationFilter with something else so I can set the username some other way? Maybe from a request parameter or maybe use basic auth without it checking the userid/password?