Add RequestAttributeAuthenticationFilter

[Majlen]

This style is used in many SSO implementations, such as Stanford WebAuth and Shibboleth. Even though in many uses it can be avoided by forcing the HTTP server/proxy to store the principal in header instead of environment variable, this approach is much more secure (you cannot set it without having better access to the server).

[pivotal-issuemaster]

@Majlen Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

[pivotal-issuemaster]

@Majlen Thank you for signing the Contributor License Agreement!

[rwinch]

@Majlen Thanks for the Pull Request.

I haven't seen this approach. How do you setup your container (i.e. Tomcat) to populate the request attribute?

[Majlen]

This approach is used by SSO implementations which are implemented as modules of Apache HTTPd.

Basically the container is hidden behind reverse proxy by using mod_jk, which can be set up to pass environment variables. These variables can then be accessed by ServletRequest.getAttribute() method.

[rwinch]

@Majlen Thanks for the response. I suppose I should have been more detailed in my ask. Can you provide me a link to a specific SSO implementation that does this? I'd really like some instructions on how to set this up so I can try it.

A few improvements before this gets merged:

• Add links to the SSO implementations that use this approach along with links to the setup required
• Add tests

[Majlen]

OK, 2 SSOs that I know of are Shibboleth and WebAuth, links are provided below. In case of WebAuth, you would also have to set up a Kerberos environment, since it is used as authentication backend.

I will provide test suite probably tommorow.

Shibboleth:

• Using Shibboleth with Java webapp: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
• Installation of identity provider: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPInstall
• Creating test environment: https://wiki.shibboleth.net/confluence/display/SHIB2/Creating+a+Local+Proof-of-Concept,+Learning+Environment

WebAuth:

• http://webauth.stanford.edu/manual/mod/mod_webauth.html#java

[rwinch]

Moved this back to M2 since there are no tests yet and M1 is getting released today

[Majlen]

Aah, I forgot, sorry about that. Tests are now included.

[rwinch]

Thanks for the PR!

This is now merged via a8120e7 I applied some polish via 9ae163e Summary:

• Rename to RequestAttributeAuthenticationFilter
• Move the test out of the envvariable package to preauth
• Formatting changes