Menu
I have a need to have multiple PRE_AUTH Spring Security filters. In particular I need to use a PRE_AUTH filter in addition to the two filters configured as PRE_AUTH in the SAML extension to Spring Security 3.0. The existing SAML configuration follows.
<security:http entry-point-ref="samlEntryPoint">
<!-- snip intercepts -->
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlProcessingFilter"/>
<security:custom-filter before="PRE_AUTH_FILTER" ref="samlEntryPoint"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="metadataFilter"/>
<security:custom-filter after="LOGOUT_FILTER" ref="samlLogoutFilter"/>
<security:custom-filter before="LOGOUT_FILTER" ref="samlLogoutProcessingFilter"/>
</security:http>
The additional PRE_AUTH filter would need to be checked before either of the existing filters (ie: a user authenticated with this authentication method should not be given the opportunity to use SAML.
I considered changing it the following way.
<!-- snip -->
<security:custom-filter before="PRE_AUTH_FILTER" ref="newPreAuthFilter"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="samlEntryPoint"/>
<security:custom-filter after="PRE_AUTH_FILTER" ref="metadataFilter"/>
<!-- snip -->
Would this work, or is a more complicated solution required.
782
The Authentication Manager is only a interface and actual implementation of the authenticate method is provided by the ProviderManager. The ProviderManager has a list of AuthenticationProviders. From it's authenticate method it calls the authenticate method of the appropriate AuthenticateProvider.
The type WebSecurityConfigurerAdapter is deprecated Well, it's because the developers of Spring framework encourage users to move towards a component-based security configuration.
Class AuthenticationFilterA Filter that performs authentication of a particular request. An outline of the logic: A request comes in and if it does not match setRequestMatcher(RequestMatcher) , then this filter does nothing and the FilterChain is continued.
We can register the filter programmatically by creating a SecurityFilterChain bean. There are a couple of possible methods: addFilterBefore(filter, class) adds a filter before the position of the specified filter class. addFilterAfter(filter, class) adds a filter after the position of the specified filter class.
Very old question, but still relevant. Use the composite filter from spring:
<security:custom-filter before="PRE_AUTH_FILTER" ref="compositeAuthFilter"/>
<bean id="compositeAuthFilter" class="org.springframework.web.filter.CompositeFilter">
<property name="filters">
<list>
<ref bean="airlockAuthFilter"/>
<ref bean="samlEntryPoint"/>
<ref bean="metadataFilter"/>
</list>
</property>
</bean>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
