public class SwitchUserFilter
extends org.springframework.web.filter.GenericFilterBean
implements org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware
This filter is similar to Unix 'su' however for Spring Security-managed web applications. A common use-case for this feature is the ability to allow higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).
This filter assumes that the user performing the switch will be required to be logged
in as normal (i.e. as a ROLE_ADMIN user). The user will then access a page/controller
that enables the administrator to specify who they wish to become (see
switchUserUrl
).
Note: This URL will be required to have appropriate security constraints configured so that only users of that role can access it (e.g. ROLE_ADMIN).
On a successful switch, the user's SecurityContext
will be updated to
reflect the specified user and will also contain an additional
SwitchUserGrantedAuthority
which contains the original user. Before switching, a check will be made on whether the
user is already currently switched, and any current switch will be exited to prevent
"nested" switches.
To 'exit' from a user context, the user needs to access a URL (see
exitUserUrl
) that will switch back to the original user as identified by
the ROLE_PREVIOUS_ADMINISTRATOR
.
To configure the Switch User Processing Filter, create a bean definition for the Switch User processing filter and add to the filterChainProxy. Note that the filter must come after the FilterSecurityInteceptor in the chain, in order to apply the correct constraints to the switchUserUrl. Example:
<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter"> <property name="userDetailsService" ref="userDetailsService" /> <property name="switchUserUrl" value="/login/impersonate" /> <property name="exitUserUrl" value="/logout/impersonate" /> <property name="targetUrl" value="/index.jsp" /> </bean>
SwitchUserGrantedAuthority
Modifier and Type | Field and Description |
---|---|
protected org.springframework.context.support.MessageSourceAccessor |
messages |
static java.lang.String |
ROLE_PREVIOUS_ADMINISTRATOR |
static java.lang.String |
SPRING_SECURITY_SWITCH_USERNAME_KEY |
Constructor and Description |
---|
SwitchUserFilter() |
Modifier and Type | Method and Description |
---|---|
void |
afterPropertiesSet() |
protected Authentication |
attemptExitUser(javax.servlet.http.HttpServletRequest request)
Attempt to exit from an already switched user.
|
protected Authentication |
attemptSwitchUser(javax.servlet.http.HttpServletRequest request)
Attempt to switch to another user.
|
void |
doFilter(javax.servlet.ServletRequest req,
javax.servlet.ServletResponse res,
javax.servlet.FilterChain chain) |
protected boolean |
requiresExitUser(javax.servlet.http.HttpServletRequest request)
Checks the request URI for the presence of exitUserUrl.
|
protected boolean |
requiresSwitchUser(javax.servlet.http.HttpServletRequest request)
Checks the request URI for the presence of switchUserUrl.
|
void |
setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher eventPublisher) |
void |
setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource) |
void |
setExitUserMatcher(RequestMatcher exitUserMatcher)
Set the matcher to respond to exit user processing.
|
void |
setExitUserUrl(java.lang.String exitUserUrl)
Set the URL to respond to exit user processing.
|
void |
setFailureHandler(AuthenticationFailureHandler failureHandler)
Used to define custom behaviour when a switch fails.
|
void |
setMessageSource(org.springframework.context.MessageSource messageSource) |
void |
setSuccessHandler(AuthenticationSuccessHandler successHandler)
Used to define custom behaviour on a successful switch or exit user.
|
void |
setSwitchAuthorityRole(java.lang.String switchAuthorityRole)
Allows the role of the switchAuthority to be customized.
|
void |
setSwitchFailureUrl(java.lang.String switchFailureUrl)
Sets the URL to which a user should be redirected if the switch fails.
|
void |
setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger) |
void |
setSwitchUserMatcher(RequestMatcher switchUserMatcher)
Set the matcher to respond to switch user processing.
|
void |
setSwitchUserUrl(java.lang.String switchUserUrl)
Set the URL to respond to switch user processing.
|
void |
setTargetUrl(java.lang.String targetUrl)
Sets the URL to go to after a successful switch / exit user request.
|
void |
setUserDetailsChecker(UserDetailsChecker userDetailsChecker) |
void |
setUserDetailsService(UserDetailsService userDetailsService)
Sets the authentication data access object.
|
void |
setUsernameParameter(java.lang.String usernameParameter)
Allows the parameter containing the username to be customized.
|
public static final java.lang.String SPRING_SECURITY_SWITCH_USERNAME_KEY
public static final java.lang.String ROLE_PREVIOUS_ADMINISTRATOR
protected org.springframework.context.support.MessageSourceAccessor messages
public void afterPropertiesSet()
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
afterPropertiesSet
in class org.springframework.web.filter.GenericFilterBean
public void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
java.io.IOException
javax.servlet.ServletException
protected Authentication attemptSwitchUser(javax.servlet.http.HttpServletRequest request) throws AuthenticationException
Authentication
request if successfully switched to
another user, null
otherwise.UsernameNotFoundException
- If the target user is not found.LockedException
- if the account is locked.DisabledException
- If the target user is disabled.AccountExpiredException
- If the target user account is expired.CredentialsExpiredException
- If the target user credentials are expired.AuthenticationException
protected Authentication attemptExitUser(javax.servlet.http.HttpServletRequest request) throws AuthenticationCredentialsNotFoundException
request
- The http servlet requestAuthentication
object or null
otherwise.AuthenticationCredentialsNotFoundException
- If no
Authentication
associated with this request.protected boolean requiresExitUser(javax.servlet.http.HttpServletRequest request)
request
- The http servlet requesttrue
if the request requires a exit user, false
otherwise.setExitUserUrl(String)
protected boolean requiresSwitchUser(javax.servlet.http.HttpServletRequest request)
request
- The http servlet requesttrue
if the request requires a switch, false
otherwise.setSwitchUserUrl(String)
public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher eventPublisher) throws org.springframework.beans.BeansException
setApplicationEventPublisher
in interface org.springframework.context.ApplicationEventPublisherAware
org.springframework.beans.BeansException
public void setAuthenticationDetailsSource(AuthenticationDetailsSource<javax.servlet.http.HttpServletRequest,?> authenticationDetailsSource)
public void setMessageSource(org.springframework.context.MessageSource messageSource)
setMessageSource
in interface org.springframework.context.MessageSourceAware
public void setUserDetailsService(UserDetailsService userDetailsService)
userDetailsService
- The UserDetailService which will be used to load
information for the user that is being switched to.public void setExitUserUrl(java.lang.String exitUserUrl)
exitUserUrl
- The exit user URL.public void setExitUserMatcher(RequestMatcher exitUserMatcher)
setExitUserMatcher(RequestMatcher)
exitUserMatcher
- The exit matcher to usepublic void setSwitchUserUrl(java.lang.String switchUserUrl)
setSwitchUserMatcher(RequestMatcher)
switchUserUrl
- The switch user URL.public void setSwitchUserMatcher(RequestMatcher switchUserMatcher)
switchUserMatcher
- The switch user matcher.public void setTargetUrl(java.lang.String targetUrl)
setSuccessHandler
instead
if you need more customized behaviour.targetUrl
- The target url.public void setSuccessHandler(AuthenticationSuccessHandler successHandler)
Can be used instead of setting targetUrl.
public void setSwitchFailureUrl(java.lang.String switchFailureUrl)
If not set, an error message will be written to the response.
Use failureHandler
instead
if you need more customized behaviour.
switchFailureUrl
- the url to redirect to.public void setFailureHandler(AuthenticationFailureHandler failureHandler)
Can be used instead of setting switchFailureUrl.
public void setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger)
switchUserAuthorityChanger
- to use to fine-tune the authorities granted to
subclasses (may be null if SwitchUserFilter should not fine-tune the authorities)public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker)
public void setUsernameParameter(java.lang.String usernameParameter)
usernameParameter
- the parameter name. Defaults to username
public void setSwitchAuthorityRole(java.lang.String switchAuthorityRole)
switchAuthorityRole
- the role name. Defaults to
ROLE_PREVIOUS_ADMINISTRATOR