Class SwitchUserWebFilter
- java.lang.Object
-
- org.springframework.security.web.server.authentication.SwitchUserWebFilter
-
- All Implemented Interfaces:
org.springframework.web.server.WebFilter
public class SwitchUserWebFilter extends java.lang.Object implements org.springframework.web.server.WebFilter
Switch User processing filter responsible for user context switching. A common use-case for this feature is the ability to allow higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).This filter assumes that the user performing the switch will be required to be logged in as normal user (i.e. with a ROLE_ADMIN role). The user will then access a page/controller that enables the administrator to specify who they wish to become (see
switchUserUrl
).Note: This URL will be required to have appropriate security constraints configured so that only users of that role can access it (e.g. ROLE_ADMIN).
On a successful switch, the user's
SecurityContext
will be updated to reflect the specified user and will also contain an additionalSwitchUserGrantedAuthority
which contains the original user. Before switching, a check will be made on whether the user is already currently switched, and any current switch will be exited to prevent "nested" switches.To 'exit' from a user context, the user needs to access a URL (see
exitUserUrl
) that will switch back to the original user as identified by theROLE_PREVIOUS_ADMINISTRATOR
.To configure the Switch User Processing Filter, create a bean definition for the Switch User processing filter and add to the filterChainProxy. Note that the filter must come after the
SecurityWebFiltersOrder.AUTHORIZATION
in the chain, in order to apply the correct constraints to the switchUserUrl. Example:SwitchUserWebFilter filter = new SwitchUserWebFilter(userDetailsService, loginSuccessHandler, failureHandler); http.addFilterAfter(filter, SecurityWebFiltersOrder.AUTHORIZATION);
- Since:
- 5.4
- See Also:
SwitchUserGrantedAuthority
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
ROLE_PREVIOUS_ADMINISTRATOR
static java.lang.String
SPRING_SECURITY_SWITCH_USERNAME_KEY
-
Constructor Summary
Constructors Constructor Description SwitchUserWebFilter(ReactiveUserDetailsService userDetailsService, java.lang.String successTargetUrl, java.lang.String failureTargetUrl)
Creates a filter for the user context switchingSwitchUserWebFilter(ReactiveUserDetailsService userDetailsService, ServerAuthenticationSuccessHandler successHandler, ServerAuthenticationFailureHandler failureHandler)
Creates a filter for the user context switching
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected reactor.core.publisher.Mono<Authentication>
exitSwitchUser(WebFilterExchange webFilterExchange)
Attempt to exit from an already switched user.reactor.core.publisher.Mono<java.lang.Void>
filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
protected java.lang.String
getUsername(org.springframework.web.server.ServerWebExchange exchange)
Returns the name of the target user.void
setExitUserMatcher(ServerWebExchangeMatcher exitUserMatcher)
Set the matcher to respond to exit user processing.void
setExitUserUrl(java.lang.String exitUserUrl)
Set the URL to respond to exit user processing.void
setSecurityContextRepository(ServerSecurityContextRepository securityContextRepository)
Sets the repository for persisting the SecurityContext.void
setSwitchUserMatcher(ServerWebExchangeMatcher switchUserMatcher)
Set the matcher to respond to switch user processing.void
setSwitchUserUrl(java.lang.String switchUserUrl)
Set the URL to respond to switch user processing.protected reactor.core.publisher.Mono<Authentication>
switchUser(WebFilterExchange webFilterExchange)
Attempt to switch to another user.
-
-
-
Field Detail
-
SPRING_SECURITY_SWITCH_USERNAME_KEY
public static final java.lang.String SPRING_SECURITY_SWITCH_USERNAME_KEY
- See Also:
- Constant Field Values
-
ROLE_PREVIOUS_ADMINISTRATOR
public static final java.lang.String ROLE_PREVIOUS_ADMINISTRATOR
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
SwitchUserWebFilter
public SwitchUserWebFilter(ReactiveUserDetailsService userDetailsService, ServerAuthenticationSuccessHandler successHandler, @Nullable ServerAuthenticationFailureHandler failureHandler)
Creates a filter for the user context switching- Parameters:
userDetailsService
- The UserDetailsService which will be used to load information for the user that is being switched to.successHandler
- Used to define custom behaviour on a successful switch or exit user.failureHandler
- Used to define custom behaviour when a switch fails.
-
SwitchUserWebFilter
public SwitchUserWebFilter(ReactiveUserDetailsService userDetailsService, java.lang.String successTargetUrl, @Nullable java.lang.String failureTargetUrl)
Creates a filter for the user context switching- Parameters:
userDetailsService
- The UserDetailsService which will be used to load information for the user that is being switched to.successTargetUrl
- Sets the URL to go to after a successful switch / exit user requestfailureTargetUrl
- The URL to which a user should be redirected if the switch fails
-
-
Method Detail
-
filter
public reactor.core.publisher.Mono<java.lang.Void> filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
- Specified by:
filter
in interfaceorg.springframework.web.server.WebFilter
-
switchUser
protected reactor.core.publisher.Mono<Authentication> switchUser(WebFilterExchange webFilterExchange)
Attempt to switch to another user.- Parameters:
webFilterExchange
- The web filter exchange- Returns:
- The new
Authentication
object if successfully switched to another user,Mono.empty()
otherwise. - Throws:
AuthenticationCredentialsNotFoundException
- If the target user can not be found by username
-
exitSwitchUser
protected reactor.core.publisher.Mono<Authentication> exitSwitchUser(WebFilterExchange webFilterExchange)
Attempt to exit from an already switched user.- Parameters:
webFilterExchange
- The web filter exchange- Returns:
- The original
Authentication
object. - Throws:
AuthenticationCredentialsNotFoundException
- If there is noAuthentication
associated with this request or the user is not switched.
-
getUsername
protected java.lang.String getUsername(org.springframework.web.server.ServerWebExchange exchange)
Returns the name of the target user.- Parameters:
exchange
- The server web exchange- Returns:
- the name of the target user.
-
setSecurityContextRepository
public void setSecurityContextRepository(ServerSecurityContextRepository securityContextRepository)
Sets the repository for persisting the SecurityContext. Default isWebSessionServerSecurityContextRepository
- Parameters:
securityContextRepository
- the repository to use
-
setExitUserUrl
public void setExitUserUrl(java.lang.String exitUserUrl)
Set the URL to respond to exit user processing. This is a shortcut for *setExitUserMatcher(ServerWebExchangeMatcher)
- Parameters:
exitUserUrl
- The exit user URL.
-
setExitUserMatcher
public void setExitUserMatcher(ServerWebExchangeMatcher exitUserMatcher)
Set the matcher to respond to exit user processing.- Parameters:
exitUserMatcher
- The exit matcher to use
-
setSwitchUserUrl
public void setSwitchUserUrl(java.lang.String switchUserUrl)
Set the URL to respond to switch user processing. This is a shortcut forsetSwitchUserMatcher(ServerWebExchangeMatcher)
- Parameters:
switchUserUrl
- The switch user URL.
-
setSwitchUserMatcher
public void setSwitchUserMatcher(ServerWebExchangeMatcher switchUserMatcher)
Set the matcher to respond to switch user processing.- Parameters:
switchUserMatcher
- The switch user matcher.
-
-