How to implement Spring's pre-authentication filter?

Question

I'm trying to implement pre-authenicated security in our web application but I'm not sure how to do it correctly. There aren't that many examples out there. And the ones that are seem to have a much simpler setup than ours.

We get our authentication details in a request header as an XML with a firstname, lastname, user ID and an error tag, if any occured.

I'm extending AbstractPreAuthenticatedProcessingFilter and in its getPreAuthenticatedPrincipal() I extract the header, unmarshall it, and do some validation.

Now the questions:

• If everything's OK, do I just return my unmarshalled shibboleth from getPreAuthenticatedPrincipal()?
• If something's wrong, do I just throw a PreAuthenticatedCredentialsNotFoundException?
• What do I return from getPreAuthenticatedCredentials()? Is "N/A" sufficient?

I suppose at some point I have t create an Authentication and a Principal.

• Is this a good approach?

  Principal dynamicUser = new DynamicUser(rijksregisterNummer);
  List<SimpleGrantedAuthority> grantedAuthorities = Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));
  Authentication authentication = new AnonymousAuthenticationToken(rijksregisterNummer, dynamicUser, grantedAuthorities);
  

• At what point (in which class) do I set it in the Spring Security?

• What other classes do I need to extend?

• How do I configure the Spring Security configuration XML? Like this? What am I missing?

  <http>
    <custom-filter position="PRE_AUTH_FILTER" ref="myPreAuthFilter" />
  </http>
  
  <bean id="myPreAuthFilter" class="my.package.MyPreAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
  </bean>
  
  <authentication-manager alias="authenticationManager">
    <authentication-provider ref="customAuthenticationProvider"/>
  </authentication-manager>
  

External users go through pre-authentication (using an e-ID and card reader) and then hit our web application. Internal users however, have to authenticate with a uername and password, a normal authentication procedure.

• How can I set it up that when there isn't an shibboleth (thus a login from our internal users), I can display a login form?

Lot's of question, I know. I hope you can guide me through.

Answer 1

This is an old question but still relevant. As said, there was many questions. What caught my eye was the observation that there are not many example implementations.

I've been playing with an implementation. You can find it here: https://github.com/klaalo/reqTokenAuth.

It is easy to mix and match with authentication methods on WebSecurityConfigurerAdapter so that you can have traditional form based authentication for legacy users.

The implementation is based on the setting where Apache mod_auth_openidc sits in front of the application. However, the implementation should work fine also with Shibboleth SP.

I didn't quite catch your sentiment about sending authentication details in HTTP Request headers as XML. Shibboleth SP is about SAML-authentication. You should leave the details about authentication for the SAML SP and only enjoy the benefits of readily authenticated user in your application. There's no need for unmarshalling the XML, Shibboleth does that for you. You get user details as clean Strings representing SAML attribute values in HTTP Headers or HttpServletRequest attributes (when Tomcat/AJP is used).