Preauth in Spring Security 3.x

Posted on January 20, 2011
Tags: java, Spring

Sometimes in a webapp you will be in a situation where a filter/app/container other than Spring will be responsible for authenticating a user and setting the user principal, leaving the authz to the Spring webapp. A portlet container is a typical example. There is a few examples floating around showing how to do this in Spring 2.x, but it appears some thing (packages, etc) have changed for Spring 3.x, so here is how to make it work. Use the following in your applicationContext.xml

<beans xmlns=""

  <!-- Setup the security to be passed through from a higher level container -->
    <sec:http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    <sec:intercept-url pattern="/**" access="ROLE_STAFF" />
  <bean id="preAuthenticatedProcessingFilterEntryPoint"></bean>

  <sec:authentication-manager><sec:authentication-provider ref="preAuthenticatedProcessingFilter"></sec:authentication-provider></sec:authentication-manager>
  <bean id="preAuthenticatedProcessingFilter">
    <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"></property>
  <bean id="preAuthenticatedUserDetailsService"></bean>