PreAuth variable header not found in request

[huskerbrown]

Hi,

I am attempting to configure an app to use the RequestHeaderPreAuthenticatedProcessingFilter to allow authentication by SiteMinder. This appears to be very straight forward, however, I'm having a real problem with the principalRequestHeader variable.

I've configured spring as such:

Code:

    <!-- ======================== FILTER CHAIN ======================= -->
    <bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /**=httpSessionContextIntegrationFilter,siteminderFilter,logoutFilter,adminAuthenticationProcessingFilter,learnerAuthenticationProcessingFilter,siteLearnerAuthenticationProcessingFilter,exceptionTranslationFilter
            </value>
        </property>
    </bean>



    <!-- ======================== UP Custom Siteminder Bean ===================== -->

  <bean id="siteminderFilter"
      class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
    <sec:custom-filter position="PRE_AUTH_FILTER" />
    <property name="principalRequestHeader" value="SMUSER" />
    <property name="authenticationManager" ref="authenticationManager" />
  </bean>

  <bean id="preauthAuthProvider"
      class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    <sec:custom-authentication-provider />
    <property name="preAuthenticatedUserDetailsService">
      <bean id="userDetailsServiceWrapper"
            class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
        <property name="userDetailsService" ref="userDetailsService"/>
      </bean>
    </property>
        </bean>

        <sec:authentication-manager alias="authenticationManager" />


    <bean id="userDetailsService" name="userDetailsService"
        class="com.plateausystems.elms.bo.userprofile.impl.AdminUserSecurityDetailsServiceImpl">
        <property name="userProfileService" ref="module.userprofile.UserProfileService"/>
    </bean>

And the error I get after I successfully authenticate with SiteMinder (and the request is passed to spring to find the header variable)

Code:

06/21/2010 14:22:07 ERROR #     [ajp-0.0.0.0-8009-1] [LMS:ContainerBase] - Servlet.service() for servlet default threw exception
org.springframework.security.ui.preauth.PreAuthenticatedCredentialsNotFoundException: SMUSER header not found in request.
        at org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter.getPreAuthenticatedPrincipal(RequestHeaderPreAuthenticatedProcessingFilter.java:42)
        at org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:69)
        at org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter.doFilterHttp(AbstractPreAuthenticatedProcessingFilter.java:58)
        at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
        at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
        at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
        at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
        at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:371)
        at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:174)
        at org.springframework.security.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:99)

We have gone as far as proxying our Apache to JBoss call to make sure the SMUSER variable is there, and it is. As a further test I put the header variable 'user-agent' in the config and that worked. It's clearly able to get something from the header any ideas why it can't find SMUSER?

We are using spring security 2.0.0

Thanks for you time,
Jason

[Luke Taylor]

Try "SM_USER" instead.

And just dump the request on the server side (e.g. using Tomcat's filter or valve). It should then be obvious what is there and what's not.

[huskerbrown]

Hi Luke,

Thanks for the quick reply.

We've confirmed beyond any doubt that the value is SMUSER. I started with SM_USER, then I contacted our SiteMinder team who informed me that it is SMUSER where I work. I've deployed a servlet just to confirm it is indeed SMUSER.

I've tried other header variables that we put in the header via SiteMinder like our employee id and such. None are found, except for the 'user-agent'. Now, I haven't tried all the headers but I'm wondering if there is something I'm missing, or have out of sync, in the above config.

Thanks again.

[Luke Taylor]

Dump the request on the server side and check that the headers are present. It's important to debug things at that level before looking at your Spring Security configuration.

The code just uses a simple call to HttpServletRequest.getHeader(), so it should find it if it's there.

[huskerbrown]

Dump the request on the server side and check that the headers are present. It's important to debug things at that level before looking at your Spring Security configuration.

The code just uses a simple call to HttpServletRequest.getHeader(), so it should find it if it's there.

yep, we did that too. We see dozens of header variables, many of which are set by Siteminder. There are a few that are set by Apache and a few from the browser. (I'd post them here but they are fairly company specific. Let me know if you'd like to see them and I'll PM them to you)

Further analysis has brought a couple of things to light. The values are not case specific. And some of the headers work and some don't.

Here is a list of header variables that I attempted to pull using the PreAuth filter and their outcome.

Code:

user-agent (browser): Success
SM_USER (Siteminder): Fail
SMUSER (Siteminder): Fail
HTTP_SMUSER (Siteminder): Fail
SMUNIVERSALID: Fail
host (browser): Success
HOST (browser): Success
UPClientIP (Apache): Success

I have verified that these values are in the header using a java servlet to dump all of them to the browser.

The trend here is that the Siteminder variables are not accessible from the PreAuth filter. Does anyone know if there is a workaround or some text that needs to prepend the variable name?

Or has anyone heard of issues with how Siteminder places it's vars in the request header?

Thanks,
Jason

[Luke Taylor]

It doesn't have anything to do with whether headers are set by siteminder or whatever. Headers are just name-value pairs in the HTTP request. To the server they are nothing more and it isn't bothered about how they got there.

Disable Spring Security, write your own filter which calls HttpServletRequest.getHeaderNames() and print out the list. If the name is there, it will be available to the RequestHeaderPreAuthenticatedProcessingFilter. If it's not, it won't find it.