Clement OUDOT (Migrated from SEC-1250) said:
I use preauth to get connected user through an HTTP header. This works fine, but I would like to ba able to failback to another authentication method if no header is present. The goal is to be able to manage user's connected with the WebSSO and other accessing the application in direct.
There is no security problems because we manage different virtualhost to protect the webapp (one wirtualhost is handled by the WebSSO, another checks that the user do not forge its own headers and connects directly to the webapp).
I join a class that we made to extend RequestHeaderPreAuthenticatedProcessingFilter, but I think this could be nice to have a parameter like "ContinueWithoutHeader", that will be false by default.
We can provide any help to solve this.
Luke Taylor said:
I've added a property called "exceptionIfHeaderMissing" which controls whether an exception will be raised by the getPreAuthenticationPrincipal method.
This issue is related to #1499