Apr 1, 2012

Spring Security - Single Sign-on Emulator

Spring Security comes with Preauthentication framework that allows authentication using an external authenticated system ( Single Sign-On  solutions- IBM’s WebSEAL, CA Siteminder) while still using internal authentication provider for authorization.

Spring’s preauthentication framework reads SSO security tokens (populated by external SSO provider) and populates user identity in its context, authorities and UserDetails are still loaded by authentication providers (JDBC, LDAP..) configured in security configuration.

Usually, enterprise SSO solutions are expensive and their licenses are not always extended to developer’s sandbox. As a result, workarounds are devised for developers that can compromise security, like hard-coding/commenting authentication piece( imagine if that makes it to production).  Also, there might be times when production support requires direct access to the application without going through SSO channel (SSO systems can be buggy too :)).

We implemented a configurable SSO emulator using spring security's filter chain that can mimic external authentication system on developer’s sandboxes. In SSO enabled environment the request is authenticated by external authentication system while on non-SSO environments it is authenticated by internal providers. In both cases the authorization (userdetailsservice) was common and agnostic of the authentication mechanism.

Spring Security makes every incoming request pass through a filter chain, where each filter inspects and validates the request based on it configuration before handing it over to next filter.  Spring allows you to write you own custom filters and place them in the filter chain. You have to be really careful with the sequencing of your filters because there are inter dependencies between them.  I had to spent a lot of time to get the filter sequencing right :)

We configured two custom filters and place them infront of preautheticated filter.

First filter (CustomFormAuthenticationFIlter) inspects the request to check where it is coming from:
  •         If it was coming from SSO system, then assume request authenticated and continue with the filter chain for pre-authentication scenario.
  •         If request was not coming from SSO then invoke spring’s form-login and authenticate using configure authentication provide.

Second filter (SSOAuthenticationTokenPopulatorFilter) inspects the request for the authentication mechanism
  •        If request is authenticated using internal customer authentication provider, then populate the SSO security tokens.

public class CustomFormAuthenticationFilter extends
              UsernamePasswordAuthenticationFilter {

       public void doFilter(ServletRequest req, ServletResponse res,
                     FilterChain chain) throws IOException, ServletException {             
              if (ssoAuthenticationTokenExists) {                    
                     chain.doFilter(req, res);

              } else {                    
                     super.doFilter(req, res, chain); 


SSOAuthenticationTokenPopulatorFilter: This filter will populate SSO Token if form-based authentication was successful. To populate the custom headers, we created our own custom RequestWrapper (extends HttpServletRequestWrapper), and after setting the custom header, replaced the request in the filter chain.

public class SSOAuthenticationTokenPopulatorFilter extends GenericFilterBean {
protected boolean isHeaderPopulationRequired() {
              Boolean customAuthentication = SecurityContextHolder.getContext()
              return customAuthentication;

public void doFilter(ServletRequest request, ServletResponse response,
                     FilterChain chain) throws IOException, ServletException {
              if (isHeaderPopulationRequired ()) {

                     request = addCustomHeaders (
                                  (HttpServletRequest) request,
                                  (HttpServletResponse) response);               
              chain.doFilter(request, response);


public HttpServletRequest addCustomHeaders(HttpServletRequest request, HttpServletResponse response)
              AbstractAuthenticationToken principal = (AbstractAuthenticationToken) request.getUserPrincipal();
              request = new CustomRequestWrapper(request);
              String sUserID = principal.getName(); 
              ((CustomRequestWrapper) request).addCustomHeader("SSOAuthenticationToken", sUserID);
              return request;


public class CustomRequestWrapper extends HttpServletRequestWrapper {
       private Map<String, String> customHeaders = new HashMap<String, String>();

       public CustomRequestWrapper (HttpServletRequest request) {

       public void addCustomHeader(String name, String value){
              customHeaders.put(name, value);
       public String getHeader(String name){
              String header = null;
              if (customHeaders.containsKey(name)){
                     header = (String) customHeaders.get(name);
              } else {
                     header = super.getHeader(name);
              return header;


Now the most important piece, sequencing of filters:
·         customFormAutenticationhFilter
·         ssoAuthenticationTokenPopulatorFilter
·         Pre-authenticated (RequestHeaderAuthenticationFilter)

I sequenced by explicitly specifying before/after position for the filters, but I guess we can directly specify it in filters attribute of intercepting url.

Sample code is available @ https://github.com/romiawasthy/ssoemulator. 

       <sec:http use-expressions="true">
              <sec:intercept-url pattern="/**" access="isAuthenticated()" />
<sec:custom-filter ref="customFormAutenticationhFilter" before="FORM_LOGIN_FILTER" />
              <sec:custom-filter ref="ssoAuthenticationTokenPopulatorFilter"
                     after="ANONYMOUS_FILTER" />

<sec:custom-filter ref="preAuthenticatedFilter"
                     before="EXCEPTION_TRANSLATION_FILTER" />       
              <sec:form-login login-processing-url="/login_security_check"
                     always-use-default-target="false" authentication-failure-url="/spring_security_login?login_error" />
              <sec:logout />      


Or simply

<sec:http use-expressions="true">
              <sec:intercept-url pattern="/**" access="customFormAuthenticationFilter, ssoAuthenticationTokenPopulatorFilter, preAuthenticatedFilter " />
              <sec:form-login login-processing-url="/login_security_check"
                     always-use-default-target="false" authentication-failure-url="/spring_security_login?login_error" />
              <sec:logout />

Now you have a SSO emulator configured.