With Spring you can achieve it using the SwitchUserFilter. If you are using LDAP here are the relevant pieces.
...
<beans:bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg><beans:ref bean="ldapUserSearch"/></beans:constructor-arg>
<beans:constructor-arg><beans:ref bean="ldapAuthoritiesPopulator"/></beans:constructor-arg>
<beans:property name="userDetailsMapper" ref="customUserDetailsContextMapper" />
</beans:bean>
...
<beans:bean id="ldapUserSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg type="String"><beans:value>ou=people,o=nestorurquiza</beans:value></beans:constructor-arg>
<beans:constructor-arg type="String"><beans:value>mail={0}</beans:value></beans:constructor-arg>
<beans:constructor-arg><beans:ref bean="ldapContextSource"/></beans:constructor-arg>
</beans:bean>
...
<beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="ldapUserDetailsService" />
<beans:property name="switchUserUrl" value="/admin/switchUser" />
<beans:property name="exitUserUrl" value="/admin/switchUserExit" />
<beans:property name="targetUrl" value="/" />
</beans:bean>
...
<http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager" disable-url-rewriting="true">
...
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="switchUserProcessingFilter" />
...
<intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN','ROLE_PREVIOUS_ADMINISTRATOR')" />
...
<beans:bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<beans:property name="url" value="${ldap.url}" />
<beans:property name="userDn" value="${ldap.userDn}" />
<beans:property name="password" value="${ldap.password}" />
</beans:bean>
...
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="ldapContextSource"/>
<beans:property name="userDnPatterns">
<beans:list><beans:value>mail={0},ou=people,o=nestorurquiza</beans:value></beans:list>
</beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
</beans:bean>
...
<beans:bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="ldapContextSource"/>
<beans:constructor-arg value="ou=groups,o=nestorurquiza"/>
<beans:property name="groupSearchFilter" value="uniquemember={0}" />
</beans:bean>
...
<beans:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<beans:constructor-arg ref="ldapContextSource" />
</beans:bean>
...
I18n messages:switchUser=Impersonate switchUserExit=Be yourselfA link to impersonate in the users listing page should be available only for admins:
<security:authorize access="hasRole('ROLE_ADMIN')">
| <a href="<spring:url value="/admin/switchUser?j_username=${employee.email}" htmlEscape="true" />">
<spring:message code="switchUser"/></a>
</security:authorize>
A link to switch back to admin user should be available only if the user is being impersonated:<security:authorize access="hasRole('ROLE_PREVIOUS_ADMINISTRATOR')">
| <a href="<spring:url value="/admin/switchUserExit" htmlEscape="true" />">
<spring:message code="switchUserExit"/></a>
</security:authorize>
The way you use it is hitting the below URLs to switch the user and come back to the original admin user context:http://localhost:8080/nestorurquiza-app/admin/switchUser?j_username=nurquiza@nestorurquiza.com http://localhost:8080/nestorurquiza-app/admin/switchUserExit
No comments:
Post a Comment