Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security 3.1 Run-As

I am trying to get the Run-As feature in Spring Security 3.1 to work. The strange thing is that I cannot find a single example. Even the Spring Security Book does not cover the topic at all.

Here is the security part of my application context.

<security:global-method-security
        pre-post-annotations="enabled">
    <security:expression-handler ref="customExpressionHandler"/>
</security:global-method-security>

<bean id="runAsManager"
      class="org.springframework.security.access.intercept.RunAsManagerImpl">
    <property name="key" value="my_run_as_password"/>
</bean>

<bean id="runAsAuthenticationProvider"
      class="org.springframework.security.access.intercept.RunAsImplAuthenticationProvider">
    <property name="key" value="my_run_as_password"/>
</bean>
<security:http auto-config="true" create-session="always">
    <security:remember-me key="njc2"/>
    <security:session-management invalid-session-url="/sessionTimeout.html"/>
    <security:intercept-url pattern="/**" access="ROLE_USER"/>
    <security:form-login login-page='/login.html'
                         authentication-success-handler-ref="njcAuthenticationSuccessHandler"
                         authentication-failure-url="/login-failure.html"/>
    <security:logout invalidate-session="true" logout-url="/j_spring_security_logout"
                     logout-success-url="/login.html"/>
</security:http>

At runtime Spring 'magically' creates an instance of org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor but does not wire my runAsManager and therefore uses the NullRunAsManager that is created by default.

Can you show me a valid Spring Security 3.1 example that demonstrates run as and using JSR-250 annotations such as @RunAs?

like image 823
saw303 Avatar asked Nov 13 '12 13:11

saw303


People also ask

What is default user for Spring Security?

In spring boot security, the default user name is “user”. The default password is printed in the console.

Is Spring Security enabled by default?

By default, the Authentication gets enabled for the Application. Also, content negotiation is used to determine if basic or formLogin should be used. For more defaults, see the security properties section of the Spring Boot Common Application Properties reference page.

Is WebSecurityConfigurerAdapter deprecated?

From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated. In this tutorial, I will show you how to update your Web Security Config class in Spring Security without the WebSecurityConfigurerAdapter example.


1 Answers

Actually you can use Spring Security XML namespace to set RunAsManager:

<sec:global-method-security run-as-manager-ref="runAsManager">
     <!-- Rest of your code -->
</sec:global-method-security>

I don't know of any out-of-box @RunAs integration. But I'm sure it's possible to implement that by yourself and integrate with Spring Security.

like image 83
Maciej Ziarko Avatar answered Sep 28 '22 07:09

Maciej Ziarko