I am trying to get the Run-As feature in Spring Security 3.1 to work. The strange thing is that I cannot find a single example. Even the Spring Security Book does not cover the topic at all.
Here is the security part of my application context.
<security:global-method-security
pre-post-annotations="enabled">
<security:expression-handler ref="customExpressionHandler"/>
</security:global-method-security>
<bean id="runAsManager"
class="org.springframework.security.access.intercept.RunAsManagerImpl">
<property name="key" value="my_run_as_password"/>
</bean>
<bean id="runAsAuthenticationProvider"
class="org.springframework.security.access.intercept.RunAsImplAuthenticationProvider">
<property name="key" value="my_run_as_password"/>
</bean>
<security:http auto-config="true" create-session="always">
<security:remember-me key="njc2"/>
<security:session-management invalid-session-url="/sessionTimeout.html"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:form-login login-page='/login.html'
authentication-success-handler-ref="njcAuthenticationSuccessHandler"
authentication-failure-url="/login-failure.html"/>
<security:logout invalidate-session="true" logout-url="/j_spring_security_logout"
logout-success-url="/login.html"/>
</security:http>
At runtime Spring 'magically' creates an instance of org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor
but does not wire my runAsManager
and therefore uses the NullRunAsManager
that is created by default.
Can you show me a valid Spring Security 3.1 example that demonstrates run as and using JSR-250 annotations such as @RunAs
?
In spring boot security, the default user name is “user”. The default password is printed in the console.
By default, the Authentication gets enabled for the Application. Also, content negotiation is used to determine if basic or formLogin should be used. For more defaults, see the security properties section of the Spring Boot Common Application Properties reference page.
From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated. In this tutorial, I will show you how to update your Web Security Config class in Spring Security without the WebSecurityConfigurerAdapter example.
Actually you can use Spring Security XML namespace to set RunAsManager
:
<sec:global-method-security run-as-manager-ref="runAsManager">
<!-- Rest of your code -->
</sec:global-method-security>
I don't know of any out-of-box @RunAs
integration. But I'm sure it's possible to implement that by yourself and integrate with Spring Security.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With