How to impersonate user using SwitchUserFilter in Spring? - McMap

About

How to impersonate user using SwitchUserFilter in Spring?

Asked 13/7, 2015 at 6:57 Answered 15/7, 2015 at 15:10

spring-mvc spring-security impersonation magnolia

S

1

13

I do not have knowledge on Spring Impersonating user.

I have gone through some sample code of configuration for impersonating user and noticed that SwitchUserFilter is used for this implementation.

How to implement impersonate user using Spring SwitchUserFilter Filter and how does it works ? What is the internal flow of impersonating user ?

In my application I am using spring security also.

Can anyone please help me with simple description or any sample example to achieve this ?

Sewole answered 13/7, 2015 at 6:57 Comment(0)

O

31

You first need to create an instance of SwitchUserFilter, like this:

@Bean
public SwitchUserFilter switchUserFilter() {
    SwitchUserFilter filter = new SwitchUserFilter();
    filter.setUserDetailsService(userDetailsService);
    filter.setSuccessHandler(authenticationSuccessHandler);
    filter.setFailureHandler(authenticationFailureHandler());
    return filter;
}

Then, you can add the filter this way:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
     ...
     .addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class);

Now, to switch, you can use

POST /login/impersonate?username=loginIdOfTheNewUser

and to switch back

POST /logout/impersonate

Note that it’s your job to ensure that existing user must have enough rights for the switch. A common practice could be to restrict /login/impersonate only to ADMINs, and and /logout/impersonate to authenticated users, like this:

        .authorizeRequests()
            .antMatchers("/login/impersonate*").hasRole("ADMIN")
            .antMatchers("/logout/impersonate*").authenticated()
            .antMatchers("/**").permitAll();

See this for a complete example.

Orozco answered 15/7, 2015 at 15:10 Comment(9)

does any one did impersonation using oauth2 – Patina 19/7, 2018 at 18:15

Example link 404. – Nirvana 15/8, 2018 at 23:54

calling /logout/impersonate without previously impersonating a user will lead to a 403 access denied error – Hathorn 22/4, 2019 at 9:5

Thanks, but i have a question. is neccesary the .hasRole("ADMIN") if i don't use the authorities? – Crossfertilization 28/7, 2020 at 0:42

Not necessary, but then anyone can impersonate as anyone AFAIK, and isn't that dangerous? – Orozco 29/7, 2020 at 21:31

Since you are calling the switchUserFilter() method directly to get the filter, shouldn't you remove the @Bean annotation on that method? – Evelunn 26/8, 2021 at 0:12

Calls to @Bean methods in @Configuration classes actually don't execute the method, but return the configured bean. So, if we remove the @Bean, the difference will be just that there would be no switchUserFilter bean in the application context. But maybe that's okay. So, probably removing @Bean should be just fine. – Orozco 26/8, 2021 at 9:45

Thanks Sanjay. Just curious: do you know If you leave @Bean and call the method, do you end up w/ 2 instances? One in the app context (that may never get used) and another one (not in the app context) that is part of the filter chain... Or is Spring smart enough to know to only create one instance in this case? Thanks! – Evelunn 1/9, 2021 at 17:43

If you leave the @Bean, there should NOT be any instance in the App Context. (But if you have the @Bean in the @Configuration class, Spring is smart enough to create only one instance, even if you call the method one or more times) – Orozco 6/9, 2021 at 5:16

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.