Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to impersonate user using SwitchUserFilter in Spring?

Tags:

spring-mvc

spring-security

impersonation

magnolia

I do not have knowledge on Spring Impersonating user.

I have gone through some sample code of configuration for impersonating user and noticed that SwitchUserFilter is used for this implementation.

How to implement impersonate user using Spring SwitchUserFilter Filter and how does it works ? What is the internal flow of impersonating user ?

In my application I am using spring security also.

Can anyone please help me with simple description or any sample example to achieve this ?

like image 312
Sachi-17 Avatar asked Jul 13 '15 06:07

Sachi-17

People also ask

How do you impersonate a user?

Impersonate a user Users or Contacts. Click the name of an individual user to view the detail page. Click the Impersonate link next to the user's name.

What is selected to impersonate another user?

To impersonate another user, the impersonator selects the Impersonate icon on the far right of the Tab Bar and selects the user from the Impersonate drop-down list. To stop impersonating a user, the impersonator clicks the Impersonate icon and selects Stop Impersonate from the Impersonate drop-down list.

Where is the impersonate user feature located?

By default any user who is assigned the admin role on an instance should have access to the "Impersonate User" button as found in the user contextual pull-down menu. Selection of this option will then bring up the Impersonate User dialog for which various user types can be simulated for login into the instance.

What is the use of WebSecurityConfigurerAdapter in spring boot?

Spring Security allows customizing HTTP security for features, such as endpoints authorization or the authentication manager configuration, by extending a WebSecurityConfigurerAdapter class.

1 Answers

You first need to create an instance of SwitchUserFilter, like this:

@Bean
public SwitchUserFilter switchUserFilter() {
    SwitchUserFilter filter = new SwitchUserFilter();
    filter.setUserDetailsService(userDetailsService);
    filter.setSuccessHandler(authenticationSuccessHandler);
    filter.setFailureHandler(authenticationFailureHandler());
    return filter;
}

Then, you can add the filter this way:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
     ...
     .addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class);

Now, to switch, you can use

POST /login/impersonate?username=loginIdOfTheNewUser

and to switch back

POST /logout/impersonate

Note that it’s your job to ensure that existing user must have enough rights for the switch. A common practice could be to restrict /login/impersonate only to ADMINs, and and /logout/impersonate to authenticated users, like this:

        .authorizeRequests()
            .antMatchers("/login/impersonate*").hasRole("ADMIN")
            .antMatchers("/logout/impersonate*").authenticated()
            .antMatchers("/**").permitAll();

See this for a complete example.

like image 58
Sanjay Avatar answered Oct 19 '22 20:10

Sanjay
Sign in to Comment

Related questions

Error when deployment to tomcat
How to show error message on same page in spring MVC
Returning view from Spring MVC @RestController
Access all @RequestHeader key value as Map in our Spring controller
Is it possible to invalidate a spring security session?
Spring - Invalid argument value: java.io.NotSerializableException
Spring mvc bad request with @requestbody
Package a spring boot application including JSPs and static resources
spring security custom AuthenticationProvider is called twice and fails
Spring boot JSP error: NoClassDefFoundError
Automatic conversion of JSON form parameter in Spring MVC 4.0
Spring AutoPopulatingList max size?
Filter invoke twice when register as Spring bean
Spring controller get request/response
Run unit tests on controllers that require authentication
How to get logged user name/Principal in Spring MVC REST channel?
Programmatically restart Spring Boot application / Refresh Spring Context
Spring boot project imported in intellij not working
Spring MVC: How to get view-name in JSP?
@ModelAttribute controller spring-mvc mocking

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!