modify preauth, to siteminder-urgent help

[tsingh007]

Hi i am trying to combine features of pre-auth example, with siteminder example given in reference implementation.

I would be greatefull if you could let me know where i have made mistake in configuring xml below

I am trying to retrieve header variable, which has user details and get corresponding roles from web.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>

<!--
  - Sample namespace-based configuration
  -
  - $Id: applicationContext-security-ns.xml 2396 2007-12-23 16:36:44Z luke_t $
  -->

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <sec:filter-chain-map path-type="ant">
            <sec:filter-chain pattern="/**" filters="sif,siteminderFilter,logoutFilter,etf,fsi"/>
        </sec:filter-chain-map>
    </bean>
<!-- ***************what is sec context pristence filter doing? -->
    <bean id="sif" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>

	<sec:authentication-manager alias="authenticationManager" />

    

    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <sec:custom-authentication-provider />
        <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
    </bean>

    <bean id="preAuthenticatedUserDetailsService"
            class="org.springframework.security.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
            
    <!-- passing auth manager and auth details
    <bean id="j2eePreAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager"/>  
        <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
    </bean>
	-->
	<!-- Take the user info from request, and submit to authentication Manager -->
	<bean id="siteminderFilter"
		      class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
	    <sec:custom-filter position="PRE_AUTH_FILTER" />
	    <property name="principalRequestHeader" value="SM_USER"/>
	    <property name="authenticationManager" ref="authenticationManager" />
	    <!--
	    <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
	    -->
	</bean>
	
 
 
    <bean id="preAuthenticatedProcessingFilterEntryPoint"
            class="org.springframework.security.web.authentication.preauth.PreAuthenticatedProcessingFilterEntryPoint"/>

    <bean id="logoutFilter" class="org.springframework.security.web.logout.LogoutFilter">
        <constructor-arg value="/"/>
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.web.logout.SecurityContextLogoutHandler"/>
            </list>
        </constructor-arg>
    </bean>

    <bean id="authenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
        <property name="mappableRolesRetriever" ref="j2eeMappableRolesRetriever"/>
        <property name="userRoles2GrantedAuthoritiesMapper" ref="j2eeUserRoles2GrantedAuthoritiesMapper"/>
    </bean>

    <bean id="j2eeUserRoles2GrantedAuthoritiesMapper" class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
        <property name="convertAttributeToUpperCase" value="true"/>
    </bean>

    <bean id="j2eeMappableRolesRetriever" class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever">

    <property name="webXmlInputStream"><bean factory-bean="webXmlResource" factory-method="getInputStream"/>
    </property>
    </bean>

    <bean id="webXmlResource" class="org.springframework.web.context.support.ServletContextResource">
        <constructor-arg ref="servletContext"/>
        <constructor-arg value="/WEB-INF/web.xml"/>
    </bean>

    <bean id="servletContext" class="org.springframework.web.context.support.ServletContextFactoryBean"/>

    <bean id="etf" class="org.springframework.security.web.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint"/>
    </bean>

    <bean id="httpRequestAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions" value="false"/>
        <property name="decisionVoters">
            <list>
                <ref bean="roleVoter"/>
            </list>
        </property>
    </bean>

    <bean id="fsi" class="org.springframework.security.web.intercept.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
        <property name="securityMetadataSource">
            <sec:filter-invocation-definition-source>
                <sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
                <sec:intercept-url pattern="/secure/**" access="ROLE_USER"/>
                <sec:intercept-url pattern="/**" access="ROLE_USER"/>
            </sec:filter-invocation-definition-source>
        </property>
    </bean>



  <bean id="preauthAuthProvider"
      class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    
    <sec:custom-authentication-provider />      
    
    <property name="preAuthenticatedUserDetailsService">
      <bean id="userDetailsServiceWrapper" 
            class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
        <property name="userDetailsService" ref="authenticationDetailsSource"/>
      </bean>    
    </property>
	</bean>
	


    <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>

    <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter">
        <property name="wrapperClass" value="org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestWrapper"/>
    </bean>

</beans>

[tsingh007]

I did following modification to pre-auth xml


<!-- *****replaced J2EE Auth with siteminderFilter -->

Code:

    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <sec:filter-chain-map path-type="ant">
            <sec:filter-chain pattern="/**" filters="sif,siteminderFilter,logoutFilter,etf,fsi"/>
        </sec:filter-chain-map>
    </bean>

<!-- ****** Replacing this with siteminder

<bean id="j2eePreAuthFilter" class="org.springframework.security.web.authentica tion.preauth.j2ee.J2eePreAuthenticatedProcessingFi lter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
</bean>

-->

Code:

  	<bean id="siteminderFilter"
		      class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
	    <sec:custom-filter position="PRE_AUTH_FILTER" />
	    <property name="principalRequestHeader" value="SM_USER"/>
	    <property name="authenticationManager" ref="authenticationManager" />
	    <!--
	    <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
	    -->
	</bean>

In the logs in see i get this error

Code:

INFO: Initializing Spring root WebApplicationContext
22-Apr-2009 14:27:05 org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'filterChainProxy' defined in ServletContext resource [/WEB-INF/applicationContext-security.xml]: Cannot resolve reference to bean 'siteminderFilter' while setting bean property 'filterChainMap' with key [/**] with key [1]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter] for bean with name 'siteminderFilter' defined in ServletContext resource [/WEB-INF/applicationContext-security.xml]; nested exception is java.lang.ClassNotFoundException: org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:288)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:103)

[whamm0]

Just a guess, but you might not need the 'sec:filter-chain-map' entries in your filterChainProxy bean definition. I believe the <sec:custom-filter position="PRE_AUTH_FILTER" /> reference in the siteminderFilter bean definition will handle this for you. This may be causing the error you are seeing, since it looks like it can't create the filterChainProxy bean.

Also you might want to look into using the security namespace to configure more of the security (the tages you have prefixed with <sec:...). It can handle much of the routine config and then you only need to add in the non-routine items (like the siteminderFilter bean). I have used it before and it saves you a lot of configuration.