0

The authentication for our application happens through siteminder agent but the authorization is controlled through our application.

I am using org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter to check the header. I have also defined UserDetailsService to load the user details.

I also need to set the role for the user so that I can use spring security tag libraries and other spring methods to check the role and show the options.

How do I implement this?

I have tried the below statements in my user details service implementation, but doesn't seem to work.

    Authentication auth = new UsernamePasswordAuthenticationToken(user, null, roles);
    SecurityContextHolder.getContext().setAuthentication(auth);

I have also read about AbstractPreAuthenticatedProcessingFilter class but looks like this is may not be useful for this purpose.

Any help on this issue will be very helpful.

Thanks!

skaffman
  • 398,947
  • 96
  • 818
  • 769
Sanjeev
  • 119
  • 4
  • 18
  • Your _RequestHeaderAuthenticationFilter_ extends the _AbstractPreAuthenticatedProcessingFilter_ that you are talking about. You're good there. But you also need to set up the _PreAuthenticatedAuthenticationProvider_. You'll need to provide your security config files for someone to help you better. – Angad Jan 08 '15 at 01:06
  • Thank you for the response Angad. I was using PreAuthenticatedAuthenticationProvider provided by Spring Security, but was not extending it to set the roles. – Sanjeev Jan 08 '15 at 20:11

1 Answers1

1

I was trying to set the roles(using the statements in my question) in the UserDetailsService implementation and it was not working.

Solution-1: I have written a sub class PreAuthenticatedAuthenticationProvider and overridden the authenticate method as below :

public class CustomPreAuthenticatedAuthenticationProvider extends PreAuthenticatedAuthenticationProvider {


    @Autowired
    DBConfig dbConfig;

    @Override
    public Authentication authenticate(Authentication authentication)throws AuthenticationException {
        Authentication auth = super.authenticate(authentication);

        User user = (User)auth.getPrincipal();

        Set<Role> roles = new HashSet<Role>();

        String[] rolesArray = dbConfig.getRoles(user.getAccessLevel());
        for(String role: rolesArray){
            Role r = new Role();
            r.setName(role);
            roles.add(r);
        }

        user.setRoles(roles);

        auth = new UsernamePasswordAuthenticationToken(user, null, roles);

        return auth;
    }


}

Solution-2 : I tried setting the roles in the controller (the home page after authentication) and it worked. But looks like Solution-1 is a standard solution.

tedder42
  • 23,519
  • 13
  • 86
  • 102
Sanjeev
  • 119
  • 4
  • 18
  • 1
    Solution-1 is obviously preferable. I prefer keeping the roles fetch logic in UserDetailsService though. For that, what you would need is to implement the Spring provided class _AuthenticationUserDetailsService_ with generic type _PreAuthenticatedAuthenticationToken_ and override _loadUserDetails()_ method to write your roles logic – Angad Jan 08 '15 at 21:49