Integrate Single Sign On using Spring Security

The general approach is:

1) Subclass AbstractAuthenticationToken for your XML logins, let's call it XMLAuthenticationToken.

2) Subclass AbstractAuthenticationProcessingFilter and add it to the filter chain after UsernamePasswordAuthenticationFilter. It should create a XMLAuthenticationToken based on the data in the XML. You can use UsernamePasswordAuthenticationFilter as an example for the general structure of the filter (that's most likely the filter that you are currently using for your regular Spring Security logins).

<http>  <custom-filter after="FORM_LOGIN_FILTER" ref="xmlAuthenticationFilter"/></http>

The filter should set a filterProcessesUrl that is different from the UsernamePasswordFilter. This is the URL the external system will post the XML to. For example:

public XmlAuthenticationFilter() {    super("/xml_security_check");}

3) Subclass AbstractUserDetailsAuthenticationProvider. Have it look up the user from the UserDetailsService based on the info in the token, and then authenticate it. Use DaoAuthenticationProvider as an example. You will need to register the new provider with the AuthenticationManager.

<authentication-manager>  <authentication-provider user-service-ref='myUserDetailsService'/>  <authentication-provider ref="xmlAuthenticationProvider" /></authentication-manager>

You might be able to get away with reusing UsernamePasswordAuthenticationToken (for #1, it has a nice "details" extension mechanism) and DaoAuthenticationProvider (or subclassing it) for #3.