[JAVA] Implementation sample when Form authentication and Request-Header authentication are used together in Spring Security
Trigger In a certain Web application development, there was a requirement to realize the following two at the same time. ① Form authentication can be performed by entering the ID and password from the login screen. (2) Authentication can be performed with the value of a specific attribute in the HTTP request header.
(2) is a requirement that the existing external authentication system sets a token in the HTTP request header and redirects when the authentication is successful, so SSO using it is realized.
(1) Independent or (2) Independent implementation samples can be found all over the Internet, but I could not find a pattern to use them together (and it was technical as such), so I will introduce how it was realized.
Source
Set as follows.
https://github.com/ShandyGaffLover/sample001/blob/master/src/main/resources/spring-security.xml
Explanation
Customize "PRE_AUTH_FILTER" and "FORM_LOGIN_FILER".
<sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter" />
Customize PRE_AUTH_FILTER
<sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter" />
Customize PRE_AUTH_FILTER
To customize "PRE_AUTH_FILTER", use the RequestHeaderAuthenticationFilter class as follows. Set the exceptionIfHeaderMissing property to false and the continueFilterChainOnUnsuccessfulAuthentication property to true for convenience with Form authentication.
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER"/>
<property name="authenticationManager" ref="sm_authenticationManager" />
<property name="exceptionIfHeaderMissing" value="false"/>
<property name="continueFilterChainOnUnsuccessfulAuthentication" value="true"/>
</bean>
Here, AuthenticationManager (and AuthenticationProvider) is defined as follows.
<sec:authentication-manager id="sm_authenticationManager">
<sec:authentication-provider ref="preauthAuthProvider" />
</sec:authentication-manager>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="customUserDetailsService"/>
</bean>
</property>
</bean>
Use the PreAuthenticatedAuthenticationProvider class for AuthenticationProvider. Note that the UserDetailsService given to the preAuthenticatedUserDetailsService property must be wrapped by the UserDetailsByNameServiceWrapper class.
Customize FORM_LOGIN_FILER
The customization of "FORM_LOGIN_FILER" is as follows.
<sec:authentication-manager id="form_authenticationManager">
<sec:authentication-provider user-service-ref="customUserDetailsService" >
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="form_authenticationManager" />
<property name="authenticationSuccessHandler" ref="formLoginSuccessHandler" />
<property name="authenticationFailureHandler" ref="formLoginFailureHandler" />
<property name="filterProcessesUrl" value="/login" />
</bean>
<sec:authentication-manager id="form_authenticationManager">
<sec:authentication-provider user-service-ref="customUserDetailsService" >
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="form_authenticationManager" />
<property name="authenticationSuccessHandler" ref="formLoginSuccessHandler" />
<property name="authenticationFailureHandler" ref="formLoginFailureHandler" />
<property name="filterProcessesUrl" value="/login" />
</bean>
Note that since a custom filter is used here, it is necessary to set the entry-point-ref attribute of the
<sec:http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
~Omission~
<sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter" />
</sec:http>
<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg value="/loginPage" />
</bean>
real thing You can check the operation from the following. [^ 1] https://shandygafflover.herokuapp.com/
① From the login screen, enter "user" for username and "password" for password to log in and you will be authenticated. (2) If you set the value "user" to the attribute "SM_USER" in the HTTP request header [^ 2], you will be authenticated. Here, ModHeader introduced in the following article is used.
Set the authentication information from the outside in the HTTP header of the browser --Qiita https://qiita.com/utwang/items/1eeb25d27e8acea33a8a
[^ 1]: I'm very sorry, but at the time of posting the article, it is said that it does not support https (even though it is authentication!). I'm sorry. I will make time to deal with it.
[^ 2]: The attribute name "SM_USER" in the request header is just an example. In actual development, attribute names should be difficult to guess and should be confidential.
Execution result Set the value "user" to the attribute "SM_USER" of the HTTP request header. 
In this state, for example, access the following URL.
Then you will be authenticated and the page will be displayed.
If the attribute "SM_USER" is not set in the HTTP request header, the login screen will be displayed, so you will be authenticated by username and password.
Reference URL
Spring Security Usage Memo Authentication / Authorization --Qiita https://qiita.com/opengl-8080/items/032ed0fa27a239bdc1cc
03-1. How to set Spring Security 2 --soracane https://sites.google.com/site/soracane/home/springnitsuite/spring-security/spring-securityno-settei-houhou
Tech Note – Explains how to create your own spring security authentication process http://javatechnology.net/spring/spring-security-login-filter-original/
Work notes when applying Spring Security-Namihira Blog http://namihira.hatenablog.com/entry/20160817/1471396975
AbstractAuthenticationProcessingFilter (Spring Security 4.2.6.RELEASE API) https://docs.spring.io/spring-security/site/docs/4.2.6.RELEASE/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html
Spring Security Java - Multiple Authentication Manager - 2 bean found error - Stack Overflow https://stackoverflow.com/questions/32105846/spring-security-java-multiple-authentication-manager-2-bean-found-error