Michael Osipov (Migrated from SEC-3200) said:
Currently the preauth chain wraps information in a User objects which defeats the use of the original request#getUserPrincipal. It would be helpful if a security:jee-simple (mutually exclusive with security:jee) would wrap minimally and pass the original pricipal along with the created PreAuthenticatedAuthenticationToken result.
As far as I can see, one would need to change the following spots:
Copy J2eePreAuthenticatedProcessingFilter to JeeSimplePreAuthenticatedProcessingFilter and change:
protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpRequest) {
Object principal = httpRequest.getUserPrincipal();
if (logger.isDebugEnabled()) {
logger.debug("PreAuthenticated J2EE principal: " + principal);
}
return principal;
}
Copy PreAuthenticatedAuthenticationProvider to SimplePreAuthenticatedAuthenticationProvider and change #authenticate():
{
// Copy authentication authentication to result, no user details service necessary
}
PreAuthenticatedGrantedAuthoritiesUserDetailsService would not be used.
This is related to SEC-3199 and would bring the behavior on par with it.
Comment From: michael-o
Is there any remedy to the issue after five years?
Comment From: jgrandja
@michael-o This would be a new feature enhancement:
Copy
J2eePreAuthenticatedProcessingFiltertoJeeSimplePreAuthenticatedProcessingFilter...
Given that this issue is quite old and there has been no activity on it, I'm going to close this since there is no demand for adding this new feature.
For further context, please see this comment.