Databases
StackOverflow2013
Postsdbo
POHow can I allow a user override with Spring Security?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow can I allow a user override with Spring Security?
    primarykey
    data
    text
    <p>In my Spring MVC web application, there are certain areas accessible only to users with sufficient privileges. Rather than just have a "access denied" message, I need to be able to allow users to log in as a different user in order to use these pages (sort of like an override).</p> <p>How can I do this with Spring Security?</p> <p>Here's the flow I am looking to have, with a bit more detail:</p> <ol> <li>User A comes in to page X from external application and is authenticated via headers</li> <li>User A does not have permission to use page X, and so is taken to the login screen with a message indicating that they must log in as a user with sufficient privilages to use this page</li> <li>User B logs in, and has sufficient privilages, and is taken to page X.</li> </ol> <p>Note: Page X has a big, long query string that needs to be preserved.</p> <p>How can I do this with Spring Security?</p> <hr> <p>Here's my spring security config file:</p> <pre><code>&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"&gt; &lt;debug /&gt; &lt;global-method-security pre-post-annotations="enabled"&gt; &lt;!-- AspectJ pointcut expression that locates our "post" method and applies security that way &lt;protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/&gt; --&gt; &lt;/global-method-security&gt; &lt;!-- Allow anyone to get the static resources and the login page by not applying the security filter chain --&gt; &lt;http pattern="/resources/**" security="none" /&gt; &lt;http pattern="/css/**" security="none" /&gt; &lt;http pattern="/img/**" security="none" /&gt; &lt;http pattern="/js/**" security="none" /&gt; &lt;!-- Lock everything down --&gt; &lt;http auto-config="true" use-expressions="true" disable-url-rewriting="true"&gt; &lt;!-- Define the URL access rules --&gt; &lt;intercept-url pattern="/login" access="permitAll" /&gt; &lt;intercept-url pattern="/about/**" access="permitAll and !hasRole('blocked')" /&gt; &lt;intercept-url pattern="/users/**" access="hasRole('user')" /&gt; &lt;intercept-url pattern="/reviews/new**" access="hasRole('reviewer')" /&gt; &lt;intercept-url pattern="/**" access="hasRole('user')" /&gt; &lt;form-login login-page="/login" /&gt; &lt;logout logout-url="/logout" /&gt; &lt;access-denied-handler error-page="/login?reason=accessDenied"/&gt; &lt;!-- Limit the number of sessions a user can have to only 1 --&gt; &lt;session-management&gt; &lt;concurrency-control max-sessions="1" /&gt; &lt;/session-management&gt; &lt;/http&gt; &lt;authentication-manager&gt; &lt;authentication-provider ref="adAuthenticationProvider" /&gt; &lt;authentication-provider&gt; &lt;user-service&gt; &lt;user name="superadmin" password="superadminpassword" authorities="user" /&gt; &lt;/user-service&gt; &lt;/authentication-provider&gt; &lt;/authentication-manager&gt; &lt;beans:bean id="adAuthenticationProvider" class="[REDACTED Package].NestedGroupActiveDirectoryLdapAuthenticationProvider"&gt; &lt;beans:constructor-arg value="[REDACTED FQDN]" /&gt; &lt;beans:constructor-arg value="[REDACTED LDAP URL]" /&gt; &lt;beans:property name="convertSubErrorCodesToExceptions" value="true" /&gt; &lt;beans:property name="[REDACTED Group Sub-Tree DN]" /&gt; &lt;beans:property name="userDetailsContextMapper" ref="peerReviewLdapUserDetailsMapper" /&gt; &lt;/beans:bean&gt; &lt;beans:bean id="peerReviewLdapUserDetailsMapper" class="[REDACTED Package].PeerReviewLdapUserDetailsMapper"&gt; &lt;beans:constructor-arg ref="UserDAO" /&gt; &lt;/beans:bean&gt; &lt;/beans:beans&gt; </code></pre> <p>I'm using a slightly modified version of the Spring Security 3.1 Active Directory connection capabilities. The modifications simply load <em>all</em> of a user's groups, including those reached by group nesting, rather than only the ones the user is directly a member of. I'm also using a custom user object that has my application's User object embedded in it, and a custom LDAP mapper that does the normal LDAP mapping, and then adds in my user.</p> <p>There is a special authentication scenario that has not been implemented yet where the user is authenticated based on a username passed from an external application (or via Kerberos) in a Single-Sign-On fashion.</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. UScdeszaq
    1. UScdeszaq
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow can I allow a user override with Spring Security?
      1. USMike K.
      1. VTFavorite
    2. VO
      singulars
      1. POHow can I allow a user override with Spring Security?
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POHow can I allow a user override with Spring Security?
      1. This table or related slice is empty.
      1. VTUpMod
    1. CODifferent use case, but related to http://stackoverflow.com/questions/6337825/spring-security-3-0-x-and-user-impersonation .
      singulars
      1. POHow can I allow a user override with Spring Security?
      1. USBarend
    2. CO@BarendGarvelink - Yes, I saw that, but I'm not looking to temporarily "pretend" to be another user. What I am looking to do is to allow them to effectively re-authenticate as a different user (essentially a logout-login) and then continue on to the page they were trying to access but could not.
      singulars
      1. POHow can I allow a user override with Spring Security?
      1. UScdeszaq
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload