The Waffle Delegating Spring-Security Filter extends the Spring Security Single-SignOn Filter by allowing the application using the filter to inject an additional authentication manager to provide authorization to a principal that is authenticated in towards the active directory in the single sign-on process.
Configure spring security as is done for Spring Security Single-SignOn Filter
The DelegatingNegotiateSecurityFilter bean can be configured with the following options in addition to the ones provided by [NegotiateSecurityFilter] (https://github.com/dblock/waffle/blob/master/Docs/spring/SpringSecuritySingleSignOnFilter.md):
- AuthenticationManager: Allows for the service provider to authorize the principal.
- AuthenticationSuccessHandler: Allows for the service provider to further populate the org.springframework.security.core.Authentication object.
- AuthenticationFailureHandler: Called if the AuthenticationManager throws an org.springframework.security.core.AuthenticationException.
- AccessDeniedHandler; Called if the AuthenticationManager throws an org.springframework.security.access.AccessDeniedException.
<bean id="waffleNegotiateSecurityFilter"
class="waffle.spring.DelegatingNegotiateSecurityFilter"
scope="tenant">
<property name="allowGuestLogin" value="false" />
<property name="Provider" ref="waffleSecurityFilterProviderCollection" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<property name="accessDeniedHandler" ref="accessDeniedHandler" />
<property name="defaultGrantedAuthority">
<null />
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="authenticationProvider" />
</security:authentication-manager>
<bean id="authenticationProvider" class="org.springframework.security.config.authentication.AuthenticationManagerBeanDefinitionParser.NullAuthenticationProvider">
<bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/errors/403" />
<property name="useForward" value="true" />
</bean>
<bean id="accessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/errors/403" />
</bean>
A demo application can be found in the Waffle distribution in the Samples\waffle-spring-filter directory. Copy the entire directory into Tomcat's or Jetty's webapps directory and navigate to http://localhost:8080/waffle-spring-filter/.