Is activated if any {@link ConfigAttribute#getAttribute()} is prefixed with RUN_AS_
.If found, it generates a new {@link RunAsUserToken} containing the same principal, credentials and grantedauthorities as the original {@link Authentication} object, along with {@link SimpleGrantedAuthority}s for each RUN_AS_
indicated. The created SimpleGrantedAuthority
s will be prefixed with a special prefix indicating that it is a role (default prefix value is ROLE_
), and then the remainder of the RUN_AS_
keyword. For example, RUN_AS_FOO
will result in the creation of a granted authority of ROLE_RUN_AS_FOO
.
The role prefix may be overridden from the default, to match that used elsewhere, for example when using an existing role database with another prefix. An empty role prefix may also be specified. Note however that there are potential issues with using an empty role prefix since different categories of {@link ConfigAttribute} can not beproperly discerned based on the prefix, with possible consequences when performing voting and other actions. However, this option may be of some use when using pre-existing role names without a prefix, and no ability exists to prefix them with a role prefix on reading them in, such as provided for example in {@link org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl}. @author Ben Alex @author colin sampaleanu
|
|