org.springframework.security.ui.switchuser
Class SwitchUserProcessingFilter

java.lang.Object
  org.springframework.security.ui.SpringSecurityFilter
      org.springframework.security.ui.switchuser.SwitchUserProcessingFilter

All Implemented Interfaces:

Filter, InitializingBean, ApplicationEventPublisherAware, MessageSourceAware, Ordered

public class SwitchUserProcessingFilter
extends SpringSecurityFilter
implements InitializingBean, ApplicationEventPublisherAware, MessageSourceAware

Switch User processing filter responsible for user context switching.

This filter is similar to Unix 'su' however for Spring Security-managed web applications. A common use-case for this feature is the ability to allow higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).

This filter assumes that the user performing the switch will be required to be logged in as normal (i.e. as a ROLE_ADMIN user). The user will then access a page/controller that enables the administrator to specify who they wish to become (see switchUserUrl).
Note: This URL will be required to have to appropriate security contraints configured so that only users of that role can access (e.g. ROLE_ADMIN).

On successful switch, the user's SecurityContextHolder will be updated to reflect the specified user and will also contain an additinal SwitchUserGrantedAuthority which contains the original user.

To 'exit' from a user context, the user will then need to access a URL (see exitUserUrl) that will switch back to the original user as identified by the ROLE_PREVIOUS_ADMINISTRATOR.

To configure the Switch User Processing Filter, create a bean definition for the Switch User processing filter and add to the filterChainProxy. Note that the filter must come after the FilterSecurityInteceptor in the chain, in order to apply the correct constraints to the switchUserUrl. Example:

 <bean id="switchUserProcessingFilter" class="org.springframework.security.ui.switchuser.SwitchUserProcessingFilter">
    <property name="userDetailsService" ref="userDetailsService" />
    <property name="switchUserUrl"><value>/j_spring_security_switch_user</value></property>
    <property name="exitUserUrl"><value>/j_spring_security_exit_user</value></property>
    <property name="targetUrl"><value>/index.jsp</value></property></bean>
 

Version:

$Id$

Author:

Mark St.Godard

See Also:

SwitchUserGrantedAuthority

Field Summary

protected MessageSourceAccessor	messages
static String	ROLE_PREVIOUS_ADMINISTRATOR
static String	SPRING_SECURITY_SWITCH_USERNAME_KEY

Fields inherited from class org.springframework.security.ui.SpringSecurityFilter

logger

Fields inherited from interface org.springframework.core.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

SwitchUserProcessingFilter()

Method Summary

void	afterPropertiesSet()
protected Authentication	attemptExitUser(HttpServletRequest request) Attempt to exit from an already switched user.
protected Authentication	attemptSwitchUser(HttpServletRequest request) Attempt to switch to another user.
void	doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
int	getOrder()
protected boolean	requiresExitUser(HttpServletRequest request) Checks the request URI for the presence of exitUserUrl.
protected boolean	requiresSwitchUser(HttpServletRequest request) Checks the request URI for the presence of switchUserUrl.
protected void	sendRedirect(HttpServletRequest request, HttpServletResponse response, String url)
void	setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
void	setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)
void	setExitUserUrl(String exitUserUrl) Set the URL to respond to exit user processing.
void	setMessageSource(MessageSource messageSource)
void	setSwitchFailureUrl(String switchFailureUrl) Sets the URL to which a user should be redirected if the swittch fails.
void	setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger)
void	setSwitchUserUrl(String switchUserUrl) Set the URL to respond to switch user processing.
void	setTargetUrl(String targetUrl) Sets the URL to go to after a successful switch / exit user request.
void	setUserDetailsService(UserDetailsService userDetailsService) Sets the authentication data access object.
void	setUseRelativeContext(boolean useRelativeContext) Analogous to the same property in AbstractProcessingFilter.

Methods inherited from class org.springframework.security.ui.SpringSecurityFilter

destroy, doFilter, init, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

SPRING_SECURITY_SWITCH_USERNAME_KEY

public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY

See Also:

Constant Field Values

ROLE_PREVIOUS_ADMINISTRATOR

public static final String ROLE_PREVIOUS_ADMINISTRATOR

See Also:

Constant Field Values

messages

protected MessageSourceAccessor messages

Constructor Detail

SwitchUserProcessingFilter

public SwitchUserProcessingFilter()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Specified by:

afterPropertiesSet in interface InitializingBean

Throws:

Exception

attemptExitUser

protected Authentication attemptExitUser(HttpServletRequest request)
                                  throws AuthenticationCredentialsNotFoundException

Attempt to exit from an already switched user.

Parameters:

request - The http servlet request

Returns:

The original Authentication object or null otherwise.

Throws:

AuthenticationCredentialsNotFoundException - If no Authentication associated with this request.

attemptSwitchUser

protected Authentication attemptSwitchUser(HttpServletRequest request)
                                    throws AuthenticationException

Attempt to switch to another user. If the user does not exist or is not active, return null.

Returns:

The new Authentication request if successfully switched to another user, null otherwise.

Throws:

UsernameNotFoundException - If the target user is not found.

LockedException - if the account is locked.

DisabledException - If the target user is disabled.

AccountExpiredException - If the target user account is expired.

CredentialsExpiredException - If the target user credentials are expired.

AuthenticationException

doFilterHttp

public void doFilterHttp(HttpServletRequest request,
                         HttpServletResponse response,
                         FilterChain chain)
                  throws IOException,
                         ServletException

Specified by:

doFilterHttp in class SpringSecurityFilter

Throws:

IOException

ServletException

sendRedirect

protected void sendRedirect(HttpServletRequest request,
                            HttpServletResponse response,
                            String url)
                     throws IOException

Throws:

IOException

requiresExitUser

protected boolean requiresExitUser(HttpServletRequest request)

Checks the request URI for the presence of exitUserUrl.

Parameters:

request - The http servlet request

Returns:

true if the request requires a exit user, false otherwise.

See Also:

exitUserUrl

requiresSwitchUser

protected boolean requiresSwitchUser(HttpServletRequest request)

Checks the request URI for the presence of switchUserUrl.

Parameters:

request - The http servlet request

Returns:

true if the request requires a switch, false otherwise.

See Also:

switchUserUrl

setApplicationEventPublisher

public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
                                  throws BeansException

Specified by:

setApplicationEventPublisher in interface ApplicationEventPublisherAware

Throws:

BeansException

setAuthenticationDetailsSource

public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource)

setExitUserUrl

public void setExitUserUrl(String exitUserUrl)

Set the URL to respond to exit user processing.

Parameters:

exitUserUrl - The exit user URL.

setMessageSource

public void setMessageSource(MessageSource messageSource)

Specified by:

setMessageSource in interface MessageSourceAware

setSwitchUserUrl

public void setSwitchUserUrl(String switchUserUrl)

Set the URL to respond to switch user processing.

Parameters:

switchUserUrl - The switch user URL.

setTargetUrl

public void setTargetUrl(String targetUrl)

Sets the URL to go to after a successful switch / exit user request.

Parameters:

targetUrl - The target url.

setUserDetailsService

public void setUserDetailsService(UserDetailsService userDetailsService)

Sets the authentication data access object.

Parameters:

userDetailsService - The authentication dao

setUseRelativeContext

public void setUseRelativeContext(boolean useRelativeContext)

Analogous to the same property in AbstractProcessingFilter. If set, redirects will be context-relative (they won't include the context path).

Parameters:

useRelativeContext - set to true to exclude the context path from redirect URLs.

setSwitchFailureUrl

public void setSwitchFailureUrl(String switchFailureUrl)

Sets the URL to which a user should be redirected if the swittch fails. For example, this might happen because the account they are attempting to switch to is invalid (the user doesn't exist, account is locked etc).

If not set, an error essage wil be written to the response.

Parameters:

switchFailureUrl - the url to redirect to.

setSwitchUserAuthorityChanger

public void setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger)

Parameters:

switchUserAuthorityChanger - to use to fine-tune the authorities granted to subclasses (may be null if SwitchUserProcessingFilter shoudl not fine-tune the authorities)

getOrder

public int getOrder()

Specified by:

getOrder in interface Ordered