Ok, so after digging through the code and a considerable amount of trial and error I have a configuration that works with the standard spring header filter (I assume it would work with the j2ee filter as well. Create WEB-INF/applicationContext-externalAuth-preauth.xml with the following: <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"> <!-- marker disabling JIAuthenticationSynchronizer: pre-5.1 external auth config--> <alias name="${bean.authenticationProcessingFilter}" alias="proxyAuthenticationProcessingFilter"/> <bean id="proxyPreAuthenticatedProcessingFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"> <property name="principalRequestHeader" value="uid" /> <property name="authenticationManager" ref="preauthenticationManager" /> </bean> <bean id="preauthenticationManager" class="org.springframework.security.authentication.ProviderManager"> <constructor-arg name="providers"> <list> <ref bean="preauthAuthProvider"/> </list> </constructor-arg> </bean> <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> <property name="preAuthenticatedUserDetailsService"> <bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <property name="userDetailsService"><ref bean="${bean.internalUserAuthorityService}"/></property> </bean> </property> </bean></beans>[/code]Replace uid with the name of the header that contains the user's id. NOTE: this only will do SSO and assumes that the user already exists inside of your configuration. If the user doesn't exist I'm sure you'll get an error. Also, make sure that your accounts are NOT marked as external.