1

I have an app with uses a Digest authentication. I want to customize the authentication process by checking a custom HTTP header in addition to the Digest method. If the header is present in the request the authentication should proceed as before, if it isn't then the user should be rejected. I tried to do this by defining a custom preauthentication filter, but somehow it doesn't work together with the Digest filter.

<security:http entry-point-ref="digestEntryPoint">
    <security:custom-filter ref="customPreauthFilter" position="PRE_AUTH_FILTER"/>
    <security:custom-filter ref="digestFilter" before="BASIC_AUTH_FILTER"/>
    <security:anonymous enabled="false"/>
</security:http>


<bean id="customPreauthFilter" class="com.myapp.messaging.security.SoundianRequestHeaderAuthenticationFilter">
    <property name="authenticationManager" ref="appControlAuthenticationManager" />
</bean>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
        <bean id="userDetailsServiceWrapper"  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <property name="userDetailsService" ref="customUserDetailsService"/>
        </bean>
    </property>
</bean>

<security:authentication-manager alias="appControlAuthenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />
    <security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>

<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="customUserDetailsService"/>
</bean>

<!-- Digest authentication -->
<bean id="digestFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
    <security:authentication-provider ref="preauthAuthProvider" />
    <!-- <security:authentication-provider ref="daoAuthenticationProvider"/>-->
</bean>

<bean id="digestEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
    <property name="realmName" value="myvalue"/>
    <property name="key" value="acegi"/>
    <property name="nonceValiditySeconds" value="10"/>
</bean>

The Preauthentication filter succeeds, but I am still getting 401 results.

If I uncomment 

<!-- <security:authentication-provider ref="daoAuthenticationProvider"/>-->

then the preauthentication filter is disregarded.

modusCell
  • 13,151
  • 9
  • 53
  • 80
akafazov
  • 435
  • 1
  • 6
  • 14

0 Answers0