Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEC-15: User Security Context Switching #276

Closed
spring-projects-issues opened this issue Jun 24, 2005 · 1 comment
Closed

SEC-15: User Security Context Switching #276

spring-projects-issues opened this issue Jun 24, 2005 · 1 comment
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Milestone
0.9.0

Comments

@spring-projects-issues
Copy link

Ben Alex(Migrated from SEC-15) said:

It would be desirable to offer a Filter-based way for administrators to switch to a different user, then do work as that user, then revert to the original administrator account.

An implementation approach is detailed at http://forum.springframework.org/viewtopic.php?t=5719.
@spring-projects-issues
Copy link
Author

Mark St.Godard said:

Ben,

I have committed the initial draft of the Switch User (‘su’) functionality. I created a new filter (SwitchUserProcessingFilter) that handles the ‘switch’ and ‘exit’ url requests.
This filter also uses the authenticationDao to allow access to load users. A few initial assumptions in this version
- will only ‘su’ one level deep
- switch url will need to be secured so that only the desired Administrator can do the ‘su’. We can probably get more fancy here later, possibly doing more mapping of who can do this, and to which target users. Anyway, starting simple.

Example configuration:

/j_acegi_switch_user /j_acegi_exit_user /acegi-security-sample-contacts-filter/secure/debug.jsp

Note: I have the 2 URLs (j_acegi_switch_user, j_acegi_exit_user) configurable and these are the responsible for their respective requests.

j_acegi_switch_user – will handle a switch attempt and expects the username of the target user
j_acegi_exit_user – will handle the exit attempt and expects that successful switch had taken place.

I used your recommendation of using a custom GrantedAuthority (PREVIOUS_ADMINISTRATOR) to capture the original user. This is interrogated in the exit attempt and used to switch the context back.

I did some local testing with the Contacts sample and did some simple tests of
- logging in (i.e. User 1)
- going to /secure/debug.jsp (view User 1 info)
- going to a jsp that handles the switch (i.e. switchUser.jsp)
- submit request to ‘su’ to another user (i.e. User 2)
- going to /secure/debug.jsp (view User 2 info)
- go to exit page (i.e. exitUser.jsp)
- display current user logged in as, submit button to exit
- going to /secure/debug.jsp (shows User 1 info)

So initial simple tests seem to work, need to polish and do alot more testing.

I have also added applicable unit tests.

Again, feedback welcome.

Cheers,
Mark

@spring-projects-issues spring-projects-issues added in: core An issue in spring-security-core Closed type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues spring-projects-issues added this to the 0.9.0 milestone Feb 5, 2016
@rwinch rwinch added the type: enhancement A general enhancement label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Projects
None yet
Milestone
0.9.0
Development

No branches or pull requests
3 participants
@rwinch @spring-projects-issues and others