This filter is similar to Unix 'su' however for Spring Security-managed web applications. A common use-case for this feature is the ability to allow higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).
This filter assumes that the user performing the switch will be required to be logged in as normal (i.e. as a ROLE_ADMIN user). The user will then access a page/controller that enables the administrator to specify who they wish to become (see switchUserUrl
).
Note: This URL will be required to have appropriate security constraints configured so that only users of that role can access it (e.g. ROLE_ADMIN).
On a successful switch, the user's SecurityContext
will be updated to reflect the specified user and will also contain an additional {@link org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority} which contains the original user.Before switching, a check will be made on whether the user is already currently switched, and any current switch will be exited to prevent "nested" switches.
To 'exit' from a user context, the user needs to access a URL (see exitUserUrl
) that will switch back to the original user as identified by the ROLE_PREVIOUS_ADMINISTRATOR
.
To configure the Switch User Processing Filter, create a bean definition for the Switch User processing filter and add to the filterChainProxy. Note that the filter must come after the FilterSecurityInteceptor in the chain, in order to apply the correct constraints to the switchUserUrl. Example:
<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter"> <property name="userDetailsService" ref="userDetailsService" /> <property name="switchUserUrl" value="/j_spring_security_switch_user" /> <property name="exitUserUrl" value="/j_spring_security_exit_user" /> <property name="targetUrl" value="/index.jsp" /> </bean>@author Mark St.Godard @see org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority
|
|