Spring security pre-authentication for development mode

Question

While developing an application it's quite useful to be able to quickly login as different users, with different roles, to see how the application presents itself.

Typing usernames and entering password is no fun, and a waste of time. What I'd like to do is:

• add a page/panel with a list of available usernames;
• clicking on a username will generate an event for Spring security which allows it to recognize the user as authenticated, without entering passwords;
• after clicking the link I am authenticated as the specified user.

N.B.: Passwords are hashed and submitted in plain-text using forms, so encoding the passwords in the links is not an option.

Obviously this feature will only be present at development time.

How can I achieve this?

Answer 1

Use InMemoryDaoImpl for development mode. It is very easy to create users and passwords stored in memory:

<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
  <property name="userMap">
    <value>
      admin=admin,ROLE_ADMIN,ROLE_USER
      user1=user1,ROLE_USER
      user2=user2,ROLE_USER
    </value>
  </property>
</bean>

In development mode inject this to your authentication provider. In production replace it with the proper DB or LDAP implementation.

Answer 2

I have done it this way for an web application:

I have a configuration parameter in context.xml of the server (of course only in the development server). This parameter contains a coma seperated list of usernames and passwords.

The login page (jsp(x)) simply add a extra form and submit button for each username, password item form the context parameter. So if a user clicks on that button the normal login process with the predefined login data is trigged.

Server context.xml

...
<Context>
    ...
    <Parameter name="quickLogin"
               value="admin:passwd,user:otherPasswd"
               override="false" />
</Context>

login.jspx

...
<!-- Login for debugging purposes -->     
<c:forTokens items="${initParam.quickLogin}" delims="," var="loginPassword">
    <c:set var="login" value="${fn:split(loginPassword, ':')[0]}" />
    <c:set var="password" value="${fn:split(loginPassword, ':')[1]}" />

    <form name="debugLogin" action="${form_url}" method="POST" >
        <crsf:hiddenCrsfNonce/>
        <input type="hidden" name='j_username' value="${fn:escapeXml(login)}" />
        <input type="hidden" name='j_password' value="${fn:escapeXml(password)}" />
        <input type="submit" value="${fn:escapeXml(login)} login" />
    </form>
</c:forTokens>
...