org.springframework.security.web.authentication.switchuser
Class SwitchUserFilter

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.web.authentication.switchuser.SwitchUserFilter
All Implemented Interfaces:
Filter, BeanNameAware, DisposableBean, InitializingBean, ApplicationEventPublisherAware, MessageSourceAware, ServletContextAware

public class SwitchUserFilter
extends GenericFilterBean
implements ApplicationEventPublisherAware, MessageSourceAware

Switch User processing filter responsible for user context switching.

This filter is similar to Unix 'su' however for Spring Security-managed web applications. A common use-case for this feature is the ability to allow higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).

This filter assumes that the user performing the switch will be required to be logged in as normal (i.e. as a ROLE_ADMIN user). The user will then access a page/controller that enables the administrator to specify who they wish to become (see switchUserUrl).

Note: This URL will be required to have appropriate security constraints configured so that only users of that role can access it (e.g. ROLE_ADMIN).

On a successful switch, the user's SecurityContextHolder will be updated to reflect the specified user and will also contain an additional SwitchUserGrantedAuthority which contains the original user.

To 'exit' from a user context, the user will then need to access a URL (see exitUserUrl) that will switch back to the original user as identified by the ROLE_PREVIOUS_ADMINISTRATOR.

To configure the Switch User Processing Filter, create a bean definition for the Switch User processing filter and add to the filterChainProxy. Note that the filter must come after the FilterSecurityInteceptor in the chain, in order to apply the correct constraints to the switchUserUrl. Example:

 <bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.SwitchUserFilter">
    <property name="userDetailsService" ref="userDetailsService" />
    <property name="switchUserUrl"><value>/j_spring_security_switch_user</value></property>
    <property name="exitUserUrl"><value>/j_spring_security_exit_user</value></property>
    <property name="targetUrl"><value>/index.jsp</value></property></bean>
 

Version:
$Id: SwitchUserFilter.java 3928 2009-10-07 14:43:55Z ltaylor $
Author:
Mark St.Godard
See Also:
SwitchUserGrantedAuthority

Field Summary
protected  MessageSourceAccessor messages
           
static String ROLE_PREVIOUS_ADMINISTRATOR
           
static String SPRING_SECURITY_SWITCH_USERNAME_KEY
           
 
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
 
Constructor Summary
SwitchUserFilter()
           
 
Method Summary
 void afterPropertiesSet()
           
protected  Authentication attemptExitUser(HttpServletRequest request)
          Attempt to exit from an already switched user.
protected  Authentication attemptSwitchUser(HttpServletRequest request)
          Attempt to switch to another user.
 void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
           
protected  boolean requiresExitUser(HttpServletRequest request)
          Checks the request URI for the presence of exitUserUrl.
protected  boolean requiresSwitchUser(HttpServletRequest request)
          Checks the request URI for the presence of switchUserUrl.
 void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
           
 void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
           
 void setExitUserUrl(String exitUserUrl)
          Set the URL to respond to exit user processing.
 void setFailureHandler(AuthenticationFailureHandler failureHandler)
          Used to define custom behaviour when a switch fails.
 void setMessageSource(MessageSource messageSource)
           
 void setSuccessHandler(AuthenticationSuccessHandler successHandler)
          Used to define custom behaviour on a successful switch or exit user.
 void setSwitchFailureUrl(String switchFailureUrl)
          Sets the URL to which a user should be redirected if the switch fails.
 void setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger)
           
 void setSwitchUserUrl(String switchUserUrl)
          Set the URL to respond to switch user processing.
 void setTargetUrl(String targetUrl)
          Sets the URL to go to after a successful switch / exit user request.
 void setUserDetailsChecker(UserDetailsChecker userDetailsChecker)
           
 void setUserDetailsService(UserDetailsService userDetailsService)
          Sets the authentication data access object.
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SPRING_SECURITY_SWITCH_USERNAME_KEY

public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY
See Also:
Constant Field Values

ROLE_PREVIOUS_ADMINISTRATOR

public static final String ROLE_PREVIOUS_ADMINISTRATOR
See Also:
Constant Field Values

messages

protected MessageSourceAccessor messages
Constructor Detail

SwitchUserFilter

public SwitchUserFilter()
Method Detail

afterPropertiesSet

public void afterPropertiesSet()
Specified by:
afterPropertiesSet in interface InitializingBean
Overrides:
afterPropertiesSet in class GenericFilterBean

doFilter

public void doFilter(ServletRequest req,
                     ServletResponse res,
                     FilterChain chain)
              throws IOException,
                     ServletException
Specified by:
doFilter in interface Filter
Throws:
IOException
ServletException

attemptSwitchUser

protected Authentication attemptSwitchUser(HttpServletRequest request)
                                    throws AuthenticationException
Attempt to switch to another user. If the user does not exist or is not active, return null.

Returns:
The new Authentication request if successfully switched to another user, null otherwise.
Throws:
UsernameNotFoundException - If the target user is not found.
LockedException - if the account is locked.
DisabledException - If the target user is disabled.
AccountExpiredException - If the target user account is expired.
CredentialsExpiredException - If the target user credentials are expired.
AuthenticationException

attemptExitUser

protected Authentication attemptExitUser(HttpServletRequest request)
                                  throws AuthenticationCredentialsNotFoundException
Attempt to exit from an already switched user.

Parameters:
request - The http servlet request
Returns:
The original Authentication object or null otherwise.
Throws:
AuthenticationCredentialsNotFoundException - If no Authentication associated with this request.

requiresExitUser

protected boolean requiresExitUser(HttpServletRequest request)
Checks the request URI for the presence of exitUserUrl.

Parameters:
request - The http servlet request
Returns:
true if the request requires a exit user, false otherwise.
See Also:
exitUserUrl

requiresSwitchUser

protected boolean requiresSwitchUser(HttpServletRequest request)
Checks the request URI for the presence of switchUserUrl.

Parameters:
request - The http servlet request
Returns:
true if the request requires a switch, false otherwise.
See Also:
switchUserUrl

setApplicationEventPublisher

public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
                                  throws BeansException
Specified by:
setApplicationEventPublisher in interface ApplicationEventPublisherAware
Throws:
BeansException

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

setMessageSource

public void setMessageSource(MessageSource messageSource)
Specified by:
setMessageSource in interface MessageSourceAware

setUserDetailsService

public void setUserDetailsService(UserDetailsService userDetailsService)
Sets the authentication data access object.

Parameters:
userDetailsService - The UserDetailService which will be used to load information for the user that is being switched to.

setExitUserUrl

public void setExitUserUrl(String exitUserUrl)
Set the URL to respond to exit user processing.

Parameters:
exitUserUrl - The exit user URL.

setSwitchUserUrl

public void setSwitchUserUrl(String switchUserUrl)
Set the URL to respond to switch user processing.

Parameters:
switchUserUrl - The switch user URL.

setTargetUrl

public void setTargetUrl(String targetUrl)
Sets the URL to go to after a successful switch / exit user request. Use setSuccessHandler instead if you need more customized behaviour.

Parameters:
targetUrl - The target url.

setSuccessHandler

public void setSuccessHandler(AuthenticationSuccessHandler successHandler)
Used to define custom behaviour on a successful switch or exit user.

Can be used instead of setting targetUrl.


setSwitchFailureUrl

public void setSwitchFailureUrl(String switchFailureUrl)
Sets the URL to which a user should be redirected if the switch fails. For example, this might happen because the account they are attempting to switch to is invalid (the user doesn't exist, account is locked etc).

If not set, an error message will be written to the response.

Use failureHandler instead if you need more customized behaviour.

Parameters:
switchFailureUrl - the url to redirect to.

setFailureHandler

public void setFailureHandler(AuthenticationFailureHandler failureHandler)
Used to define custom behaviour when a switch fails.

Can be used instead of setting switchFailureUrl.


setSwitchUserAuthorityChanger

public void setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger)
Parameters:
switchUserAuthorityChanger - to use to fine-tune the authorities granted to subclasses (may be null if SwitchUserFilter should not fine-tune the authorities)

setUserDetailsChecker

public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker)


Copyright © 2004-2009 SpringSource, Inc. All Rights Reserved.