Home/ Questions/Q 7771359
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T16:37:58+00:00

I’m trying configure Request-Header Authentication using spring 2.0 security, and I’m a complete newbie

  • 0

I’m trying configure Request-Header Authentication using spring 2.0 security, and I’m a complete newbie at it so please bear with me. From the doc, they give an example config file using siteminder.

In my scenario, there will be a username and usergroup in the request header, using keys of CC_USER and CC_USER_GROUP respectively. So I adjusted the file to be as follows (see below).

I know that in the external system the user will already have been authenticated using some type of single sign on, and when control reaches my app, we just need to check the request headers for the CC_USER and CC_USER_GROUP.

Question1: The example below uses a “userDetailsService”. Is this something I need to implement? Is this where I will check the request headers for CC_USER and CC_USER_GROUP?

Question2: Is there a complete example I can download somewhere that uses request header authentication? I did a lot of googling, but didn’t really find a lot of help.

Question3: I would like to just harcode some dummy users in for testing, like they do in the docs. How would I incorporate the following into my request header configuration?

<authentication-provider>
    <user-service>
      <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
      <user name="bob" password="bobspassword" authorities="ROLE_USER" />
    </user-service>
  </authentication-provider>

My modified sample config file (based on siteminder file from docs):

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
       http://www.springframework.org/schema/context/spring-context-2.5.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <bean id="ssoFilter"
        class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
        <security:custom-filter position="PRE_AUTH_FILTER" />
        <property name="principalRequestHeader" value="CC_USER" />
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="preauthAuthProvider"
        class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
        <security:custom-authentication-provider />
        <property name="preAuthenticatedUserDetailsService">
            <bean id="userDetailsServiceWrapper"
                class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
                <property name="userDetailsService" ref="userDetailsService" />
            </bean>
        </property>
    </bean>

    <security:authentication-manager
        alias="authenticationManager" />
</beans>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. UserDetailsService is just an Interface, you need to implement. It has only one method to load user from DB by username and returns UserDetails object with user info(here you can also keep the user group information). This service have nothing with request headers. I think, the best place to check the request headers – is RequestHeaderPreAuthenticatedProcessingFilter
    2. Are you talking about RequestHeaderAuthenticationFilter? The documentation is very clearly, I think.
    3. Hardcoded users in xml will not work if you implement own user-service
    • 0