SEC-15: User Security Context Switching about spring-security HOT 1 CLOSED

Mark St.Godard said:

Ben,

I have committed the initial draft of the Switch User (‘su’) functionality. I created a new filter (SwitchUserProcessingFilter) that handles the ‘switch’ and ‘exit’ url requests.
This filter also uses the authenticationDao to allow access to load users. A few initial assumptions in this version
- will only ‘su’ one level deep
- switch url will need to be secured so that only the desired Administrator can do the ‘su’. We can probably get more fancy here later, possibly doing more mapping of who can do this, and to which target users. Anyway, starting simple.

Example configuration:

Note: I have the 2 URLs (j_acegi_switch_user, j_acegi_exit_user) configurable and these are the responsible for their respective requests.

j_acegi_switch_user – will handle a switch attempt and expects the username of the target user
j_acegi_exit_user – will handle the exit attempt and expects that successful switch had taken place.

I used your recommendation of using a custom GrantedAuthority (PREVIOUS_ADMINISTRATOR) to capture the original user. This is interrogated in the exit attempt and used to switch the context back.

I did some local testing with the Contacts sample and did some simple tests of
- logging in (i.e. User 1)
- going to /secure/debug.jsp (view User 1 info)
- going to a jsp that handles the switch (i.e. switchUser.jsp)
- submit request to ‘su’ to another user (i.e. User 2)
- going to /secure/debug.jsp (view User 2 info)
- go to exit page (i.e. exitUser.jsp)
- display current user logged in as, submit button to exit
- going to /secure/debug.jsp (shows User 1 info)

So initial simple tests seem to work, need to polish and do alot more testing.

I have also added applicable unit tests.

Again, feedback welcome.

Cheers,
Mark

from spring-security.