Integrating OpenAM, tomcat J2EE policy agent with Spring Security-enabled web application

We are trying to do fine-grained authorizations using spring security while having user authentication and coarse-grained authorization using openam policies feature for the application realm. What I mean by coarse-grained is simple URI rules with subjects. What I mean by fine-grained authorization is at web application level such as using ACLs using spring-security-acls.

To accomplish this, an approach that I have thought is to use ** Spring Security PreAuthenticationFilters** as outlined in spring-security reference manual. I got this thought after reading this question pre-authentication

To do rapid prototyping, I have chosen Grails 2.2.3 as the web application platform with plugins for spring-security-core and acls behind OpenAM and openam J2EE policy agent interfaces. The OpenAM policy is setup to authenticate a user and return the uid (Ldap user id) in the policy response header. This is mapped to USER_ID in the response provider and sent as HTTP header by the policy agent.

The grails application resources.groovy looks like this:

beans = {
   preAuthenticatedGrantedAuthoritiesUserDetailsService(PreAuthenticatedGrantedAuthoritiesUserDetailsService)



preAuthenticatedAuthenticationProvider(PreAuthenticatedAuthenticationProvider) {
    preAuthenticatedUserDetailsService =   ref('preAuthenticatedGrantedAuthoritiesUserDetailsService')
 }

requestHeaderAuthenticationFilter(RequestHeaderAuthenticationFilter) {
    authenticationManager = ref('authenticationManager')
    principalRequestHeader = 'USER_ID'
 }
}

The BootStrap.groovy looks like this:

def init = {
    servletContext -> 
    
    SpringSecurityUtils.clientRegisterFilter('requestHeaderAuthenticationFilter',SecurityFilterPosition.PRE_AUTH_FILTER);
}

When I tested this in my local setup, I get errors ...

org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: USER_ID header not found in request.
    at org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter.getPreAuthenticatedPrincipal(RequestHeaderAuthenticationFilter.java:43)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:98)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:86)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.codehaus.groovy.grails.plugins.springsecurity.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)

Any clues on how to solve the issue, or comments/suggestions on the approach itself?

Thanks for your responses.