Spring Security - conditionally use form-login if external auth fails / doesn't exist

Question

My required setup is a (spring-security enabled) webapp that can either be pre-authenticated (using pubcookie) OR have a "dev" mode enabled so I can ignore pubcookie and show a login form. Naturally, dev-mode will be turned-off in production, where the app will sit behind an Apache running mod_pubcookie, but for dev/QA I don't really need the external authentication mechanism.

The login form should appear only if (1) there's no REMOTE_USER request header (meaning we didn't go through pubcookie); AND (2) dev-mode is turned on in a property file.

My question: can this be configured in the spring security XML file, or do I need to take this into the code? (and how do I do that?)

Thanks,

D.

Answer 1

You can write your own custom filter and specify that it in your security context. As it is your custom filter you can get request object as well as configuration from properties file.

if you found REMOTE_USER and dev-mode on then set authentication in security context holder.

for implementing custom filter refer to link

Answer 2

Ok, so what I did was using Spring Profiles to create two separate profiles for "dev" and "prod", where I used different http and authentication-manager elements.

This blog entry from springsource helped a lot:

http://blog.springsource.com/2011/02/11/spring-framework-3-1-m1-released/

Just pay attention to where he says you can declare a profile in the dispatcher servlet's init-param element - that didn't work for me, so I used the global context-param in web.xml to declare my profile:

<context-param>
    <param-name>spring.profiles.active</param-name>
    <param-value>dev</param-value>
</context-param>

D.