How to use J2eePreAuthenticatedProcessingFilter and Native Authentication Provider?

I want my Spring application to try two pre-authentication methods (Siteminder container authentication and Java EE).

• If any of these filters finds a username - I want to check this username on my user database and assign roles based on what I see in the database. (I have an AuthenticationUserDetailsService implementation that does this for me.)
• If not, show the user the login page. Check the credentials that they enter on the form against my user database.

Siteminder integration works. The login form also works. My problem is with Java EE pre-authentication. It never works.

My application is context-security.xml:

<!-- HTTP security configurations --> <sec:http auto-config="true" use-expressions="true"> <sec:form-login login-processing-url="/resources/j_spring_security_check" always-use-default-target="true" default-target-url="/" login-page="/login" authentication-failure-url="/login?login_error=t" /> <sec:logout logout-url="/resources/j_spring_security_logout" /> <sec:access-denied-handler error-page="/accessDenied" /> <sec:remember-me user-service-ref="customUserDetailsService" token-validity-seconds="86400" key="OptiVLM-VaultBalance" /> <sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter"/> <sec:custom-filter after="PRE_AUTH_FILTER" ref="jeePreAuthenticatedFilter"/> <!-- various intercept-url elements here, skipped for brevity --> </sec:http> <!-- Authentication Manager --> <sec:authentication-manager alias="authenticationManager"> <!-- J2EE container pre-authentication or Siteminder --> <sec:authentication-provider ref="customPreAuthenticatedAuthenticationProvider" /> <!-- Default provider --> <sec:authentication-provider user-service-ref="customUserDetailsService" /> </sec:authentication-manager> <!-- Siteminder pre-authentication --> <bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"> <property name="principalRequestHeader" value="SM_USER" /> <property name="authenticationManager" ref="authenticationManager" /> <property name="exceptionIfHeaderMissing" value="false" /> </bean> <!-- J2EE pre-authentication --> <bean id="jeePreAuthenticatedFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <!-- Custom pre-authentication provider --> <bean id="customPreAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> <property name="preAuthenticatedUserDetailsService" ref="customAuthenticationUserDetailsService" /> </bean> 

I have Java 2 protection in Websphere and I logged in as "admin5". (I have a user with this username in my user database.) But when I access the application, the "customAuthenticationUserDetailsService" bean never rings to verify the username. I know this because "customAuthenticationUserDetailsService" makes an extensive log that clearly shows what it does. When I use pre-authentication Siteminder - "customAuthenticationUserDetailsService" works just fine, I get some trace output in the log. But not for J2EE authentication ...

I assume one of these things happens:

a) The Java EE preauthentication filter does not determine the username, so it never calls the authentication manager

b) The Java EE preauthentication filter works fine, but my custom authentication provider is never called by the authentication manager for any reason

By the way, the default authentication provider that uses "customUserDetailsService" also doesn’t kick. Again, I can say that since there is no way out of the 'customUserDetailsService' in the log.

Can you advise what could be the problem here? If it were not for the decision, then it would be very useful to accept a proposal on how to approach this.