How to perform RunAs using method security with Spring MVC 3.2 and Spring Security 3.1

Question

I have a web application with Spring MVC 3.2 and Spring Security 3.1

I'm using roles base security and have implemented UserDetailsService and UserDetails to provide GrantedAuthority.

I've enabled global method security with jsr250-annotations

Everything upto here is working as expected with signed in user method access restricted to the declared roles.

I have a further requirement to run certain methods called during application initialisation as a special user with a 'system role' ideally along the lines of JavaEE RunAs. I'm not sure how to do this in Spring Security.

Should I be trying to create a PreAuthenticatedAuthenticationToken with some made up values and a 'system role' authority.
I could then do something likeSecurityContextHolder.getContext().setAuthentication(token); when initialising the application.

Alternatively should I be trying to use the RunAsManager. It sounds like what I need but I have not found any simple examples of how I actually could use it.

I'm fairly new to Spring Security and I'm unsure of the best way to proceed.

Answer 1

When my application starts

• I run a post construct method in my spring bean to create a special user in memory with a system role.
• This user object implements the

  org.springframework.security.core.userdetails.UserDetails

  interface.
• I then use the user to create a security token

  org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken

• The token is then set in the Security Context.

  @Service
  @Transactional(readOnly = true)
  public class ApplicationConfiguration{
      @Inject
      MyService myService;
      @PostConstruct
      @Transactional(readOnly = false)
      public void init(){
  
          // ######## Application Starting #######"
  
          // Create a user that meets the contract of the Spring UserDetails interface
  
          UserAccountImpl sysAcc = new UserAccountImpl("system", "system", "system");
          UserRole role = new UserRole(Role.SYSTEM_ROLE);
          role.addUserPermission(Permission.SYSTEM);
          sysAcc.addUserRole(role);
          UserDetailsAdapter userDetails = new UserDetailsAdapter(sysAcc);
  
          // Create a token and set the security context
  
          PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken( userDetails, userDetails.getPassword(), userDetails.getAuthorities());
          SecurityContextHolder.getContext().setAuthentication(token);
  
          // Now call service method with roles allowed  
  
          myService.initialiseSystem();
      }
  }
  

  ....

  public interface MyService {
      @RolesAllowed(SYSTEM)
      public void initialiseSystem();
  }