SEC-1250: RequestHeaderPreAuthenticatedProcessingFilter cannot be use to fail back to another authentication type #1500

Closed
spring-issuemaster opened this Issue Sep 29, 2009 · 2 comments

1 participant

@spring-issuemaster

Clement OUDOT (Migrated from SEC-1250) said:

Hello,

I use preauth to get connected user through an HTTP header. This works fine, but I would like to ba able to failback to another authentication method if no header is present. The goal is to be able to manage user's connected with the WebSSO and other accessing the application in direct.

There is no security problems because we manage different virtualhost to protect the webapp (one wirtualhost is handled by the WebSSO, another checks that the user do not forge its own headers and connects directly to the webapp).

I join a class that we made to extend RequestHeaderPreAuthenticatedProcessingFilter, but I think this could be nice to have a parameter like "ContinueWithoutHeader", that will be false by default.

We can provide any help to solve this.

Thank you,

Clément.

@spring-issuemaster

Luke Taylor said:

I've added a property called "exceptionIfHeaderMissing" which controls whether an exception will be raised by the getPreAuthenticationPrincipal method.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
@spring-issuemaster

This issue is related to #1499

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment