Preauth in Spring Security 3.x

Sometimes in a webapp you will be in a situation where a filter/app/container other than Spring will be responsible for authenticating a user and setting the user principal, leaving the authz to the Spring webapp. A portlet container is a typical example. There is a few examples floating around showing how to do this in Spring 2.x, but it appears some thing (packages, etc) have changed for Spring 3.x, so here is how to make it work. Use the following in your applicationContext.xml

<beans xmlns=""

  <!-- Setup the security to be passed through from a higher level container -->
    <sec:http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    <sec:intercept-url pattern="/**" access="ROLE_STAFF" />
  <bean id="preAuthenticatedProcessingFilterEntryPoint"></bean>

  <sec:authentication-manager><sec:authentication-provider ref="preAuthenticatedProcessingFilter"></sec:authentication-provider></sec:authentication-manager>
  <bean id="preAuthenticatedProcessingFilter">
    <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"></property>
  <bean id="preAuthenticatedUserDetailsService"></bean>

This entry was posted in java, Spring. Bookmark the permalink.

Leave a Reply