Spring security and Siteminder

**karthikg76** · Apr 21st, 2008, 01:04 PM

Hi,
We use siteminder at our place and we don't use Spring.
W have a requirement to integrate with siteminder and I think its a good opportunity to start with spring security and incrementally integrate Spring into our App.

I looked at acegisecurity.org and found a SitemInderFilter class in their javadoc. But I notice that this particular filter class is missing in the spring security javadoc.

So what should I be using - Spring security / acegi security?
or both as I need the SiteMinderFilter class?

thanks,
Karthik

**Luke Taylor** · Apr 21st, 2008, 01:51 PM

The siteminder filter's only job was really to pull out the username from a specified header and load the information for that user. There's a filter called "RequestHeaderPreAuthenticatedProcessingFilter " which has this role now.

**bh5k** · May 14th, 2008, 09:34 AM

Hey Luke,

What about pulling role information? We have some role information that is place in our header by siteminder and would like to turn that into the GrantedAuthorities that the logged in user has.

Not really seeing an easy way to do this off the bat.

Thanks,

Bryan

**Luke Taylor** · May 14th, 2008, 09:50 AM

There's no functionality built in to do this. I haven't used Siteminder, so don't know how it goes about supplying this information, but if it's available from the request, it should be straightforward enough to extract using the pre-authentication code.

**bilbonotry** · Jan 21st, 2009, 08:20 AM

Hello,

Luke, what do you mean by "the pre-authentication code" ?
I am also trying to get roles from request header written by Siteminder and am not succeeding.

I have extended preauth filter but in overridden doFilter the authentication object does not exist. I have tried the built-in j2ee classes (j2eeMappableRolesRetriever and others from pre-auth sample) which force to read roles from web.xml and I get a jaxen exception at boot.
By the way tried to deploy the pre-auth sample to my weblogic and got the same exception at boot.

Thanks to anyone who can help.

**bilbonotry** · Jan 23rd, 2009, 09:03 AM

OK I finally did it.
I had to extend the pre-auth filter to do the workaround, UserDetails and implements Authentication

Here it is :

Code:

<beans:bean id="preauthAuthProvider"
		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
		<security:custom-authentication-provider />
		<beans:property name="preAuthenticatedUserDetailsService">
		<beans:bean id="userDetailsServiceWrapper" 
		class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
		<beans:property name="userDetailsService" ref="userDetailsService"/>
		</beans:bean>
		</beans:property>		
		</beans:bean>
		<beans:bean id="siteMinderFilter"
		class="toto.tata.SiteMinderFilter">
		<security:custom-filter position="PRE_AUTH_FILTER" />
		<beans:property name="principalRequestHeader"
		value="SM_USER" />
               <beans:property name="rolesRequestHeader"
		value="SM_ROLES" />
		<beans:property name="rolesDelimiter"
		value=";" />
<!-- other request headers names can be inserted here -->		
		<beans:property name="authenticationManager"
		ref="authenticationManager" />
		</beans:bean>
		<security:authentication-manager alias="authenticationManager" />
		<beans:bean id="userDetailsService"
		class="toto.tata.SiteMinderUserDetailsService" />

SiteMinderFilter.java :

Code:

[...]
//not sure if required
        public SiteMinderFilter(String pPrincipalRequestHeader) {
		super();
		super.setPrincipalRequestHeader(pPrincipalRequestHeader);
	}

	public void doFilterHttp(HttpServletRequest request,
			HttpServletResponse response, FilterChain filterChain)
			throws IOException, ServletException {
		// get roles
		String roles = (String) request.getHeader(getRolesRequestHeader());
		String[] rolesArray = roles.split(this.getRolesDelimiter());

		// put roles in GrantedAuthority[]
		Collection<GrantedAuthorityImpl> container = new ArrayList<GrantedAuthorityImpl>();
		for (String s : rolesArray) {
			container.add(new GrantedAuthorityImpl(s));
		}
		GrantedAuthority[] gAuth = (GrantedAuthority[]) container
				.toArray(new GrantedAuthority[container.size()]);

		// create user details
		SiteMinderUserDetails userDetails = new SiteMinderUserDetails();
		userDetails.setUsername((String) super
				.getPreAuthenticatedPrincipal(request));
		userDetails.setAuthorities(gAuth);
		
		// forge our own Authentication object
		AuthenticationImpl authentication = new AuthenticationImpl();
		authentication.setAuthenticated(true);
		authentication.setAuthorities(gAuth);
		authentication.setPrincipal(userDetails);
		authentication.setCredentials(super
				.getPreAuthenticatedCredentials(request));
		SecurityContextHolder.getContext().setAuthentication(authentication);

		super.doFilterHttp(request, response, filterChain);

	}

UserDetails is just a box to put your user data and Authentication just has the attributes and getters required by the interface.

Hope this helps someone.

**BrianCubeDweller** · Feb 11th, 2009, 02:58 PM

I'm having issues and I hope I can understand your solution and get it to work for me.

One thing is confusing me as I look over your code. Your implementation of SiteMinderFilter is creating its own UserDetails object. Why then do you need to declare a SiteMinderUserDetailsService? What does this service do?

**bilbonotry** · Feb 12th, 2009, 03:16 AM

Here is my UserDetailsService. I think the point was to have both pre-authenticated and classical user details service features :

PHP Code:


public class SiteMinderUserDetailsService extends PreAuthenticatedGrantedAuthoritiesUserDetailsService implements UserDetailsService {



    /*

     * (non-Javadoc)

     * 

     * @see org.springframework.security.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)

     */

    public UserDetails loadUserByUsername(String pArg0)

            throws UsernameNotFoundException, DataAccessException {



        SiteMinderUserDetails userDetails = new SiteMinderUserDetails();

        userDetails.setUsername(pArg0);



        return userDetails;

    }



    /* (non-Javadoc)

     * @see org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService#createuserDetails(org.springframework.security.Authentication, org.springframework.security.GrantedAuthority[])

     */

    @Override

    protected UserDetails createuserDetails(Authentication pToken, GrantedAuthority[] pAuthorities) {

        // TODO Raccord de méthode auto-généré

        return super.createuserDetails(pToken, pAuthorities);

    }



}

Extending UserDetails was mandatory to put user extra information I needed.

**BrianCubeDweller** · Feb 12th, 2009, 02:07 PM

I spend some serious time implementing your SiteMinderFilter. It turns out it's not precisely what I want, but going through the exercise definitely helped me understand what was going on and also what I could do to fix it.

Thank you.

Thread: Spring security and Siteminder

Thread Tools

Display

Spring security and Siteminder

Siteminder

Can your solution work for me?

Thanks

Posting Permissions