These scenarios are referred to as "pre-authenticated" as the user has been reliably authenticated prior to accessing the application. Spring Security provides a number of classes to support pre-authentication such as the PreAuthenticatedAuthenticationProvider class. This post demonstrates how to convert a web application based on Spring Security authentication to one that uses Container based authentication.
As Spring Security will no longer be authenticating the user, we need to modify our login page to target the standard j_security_check URI instead of the Spring j_spring_security_check.
We also need to specify the security constraints within the web.xml such as form-based login and the security role names.
Note that although we will be using Spring Security for specifying our access control rules, we still need to specify some access control within the web.xml so that the JEE container knows when to request authentication from the user.
We have also replaced the springSecurityFilterChain bean with the filterChainProxy bean.This allows specifying (via the Spring context file) which Spring bean filters will be involved in the security process.
So which filters are required to configure the FilterChainProxy for this container based pre-authenticated scenario?
The above shows five filters that have been specified in the Spring Security pre-auth sample. Lets see what each one is responsible for.
SecurityContextPersistenceFilteris responsible for populating the
SecurityContextHolderand is required to be the first filter to execute.
The J2eePreAuthFilter is what retrieves the JEE user principle name and associated roles for the pre-authenticated principle. As the container has performed the authentication, the user principle is available with associated roles and these are mapped to Spring's
LogoutFilterwill invoke the configured list of
LogoutHandlerimplementations and then direct the user to the url specified in the first argument. It is also possible to provide a
LogoutSuccessHandlerto implement any custom logic after a successful logout. The
LogoutHandler's are responsible for implementing the actual logout behaviour such as invalidating the session.
ExceptionTranslationFilteris responsible for handling any
AuthenticationException's thrown within the filter chain and mapping them to HTTP responses. It will delegate to the authenticationEntryPoint on an
AuthenticationException. In the pre-authenticated scenario, the authenticationEntryPoint will simply return the HTTP error code 403 rather than commence the re-authentication process.
The final filter in the chain is the
FilterSecurityInterceptorthat implements the access control rules for HTTP resources similar to the ones defined in the HTTP security namespace. The FilterSecurityInterceptor will first check if authentication is required, and then ask the accessDecisionManager to decide whether to grant access to a request resource. The AccessDecisionManager collaborates with the configured list of AccessDecisionVoters to resolve the authorization request.
These filters and some changes to the web.xml and login, logout forms enable transitioning a web application based on Spring Security authentication to one that uses container based authentication.
Finally, depending on the application server used, there will be some configuration required for mapping the JEE security roles.