Combined usage of AuthenticationProcessingFilter and RequestHeaderPreAuthenticatedPro

[gfaerman]

Luke,

We deploy our application in an environment where our users might come Pre authenticated by Siteminder or they might just hit our server with "no man in the middle", therefore we need plain old DAO based authentication.

Browsing the samples I did find a preauth example using j2eePreAuthFilter but I was not able to find config files for a mixed environment.

Would you share a sample config how we could do this? Also adding that to documentation might help other users.

Thanks in advance,

Gustavo Faerman
Buenos Aires, Argentina

[Luke Taylor]

There is an issue in Jira to add information on preauthenticated scenarios to the docs.

Do you have some kind of protection in place to stop a non-siteminder user from faking the siteminder header?

[gfaerman]

Thanks a lot Luke for your quick reply.

No I do not have at the time of this writing.

At a first glance my thinking is we should not allow both authentication strategies in the same box enabled at the same time. And in the case where we deploy the same web app but to different scenarios have the installer make a last minute config to security context files depending on the scenario (using the pre auth filter or not).


Do you have any suggestions?

[Luke Taylor]

I think it is probably risky to run siteminder in a situation where it isn't protecting the whole application. Otherwise you would have to rely on some upstream mechanism (e.g. an Apache server) to warn of requests coming in with the siteminder header set by an attacker.