public class

SwitchUserFilter

extends GenericFilterBean
implements ApplicationEventPublisherAware MessageSourceAware
java.lang.Object
   ↳ org.springframework.web.filter.GenericFilterBean
     ↳ org.springframework.security.web.authentication.switchuser.SwitchUserFilter

Class Overview

Switch User processing filter responsible for user context switching.

This filter is similar to Unix 'su' however for Spring Security-managed web applications. A common use-case for this feature is the ability to allow higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).

This filter assumes that the user performing the switch will be required to be logged in as normal (i.e. as a ROLE_ADMIN user). The user will then access a page/controller that enables the administrator to specify who they wish to become (see switchUserUrl).

Note: This URL will be required to have appropriate security constraints configured so that only users of that role can access it (e.g. ROLE_ADMIN).

On a successful switch, the user's SecurityContext will be updated to reflect the specified user and will also contain an additional SwitchUserGrantedAuthority which contains the original user. Before switching, a check will be made on whether the user is already currently switched, and any current switch will be exited to prevent "nested" switches.

To 'exit' from a user context, the user needs to access a URL (see exitUserUrl) that will switch back to the original user as identified by the ROLE_PREVIOUS_ADMINISTRATOR.

To configure the Switch User Processing Filter, create a bean definition for the Switch User processing filter and add to the filterChainProxy. Note that the filter must come after the FilterSecurityInteceptor in the chain, in order to apply the correct constraints to the switchUserUrl. Example: 

 <bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
    <property name="userDetailsService" ref="userDetailsService" />
    <property name="switchUserUrl" value="/j_spring_security_switch_user" />
    <property name="exitUserUrl" value="/j_spring_security_exit_user" />
    <property name="targetUrl" value="/index.jsp" />
 </bean>

See Also

Summary

Constants
String ROLE_PREVIOUS_ADMINISTRATOR
String SPRING_SECURITY_SWITCH_USERNAME_KEY
Fields
protected MessageSourceAccessor messages
[Expand]
Inherited Fields
From class org.springframework.web.filter.GenericFilterBean
Public Constructors
SwitchUserFilter()
Public Methods
void afterPropertiesSet()
void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher)
void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource)
void setExitUserUrl(String exitUserUrl)
Set the URL to respond to exit user processing.
void setFailureHandler(AuthenticationFailureHandler failureHandler)
Used to define custom behaviour when a switch fails.
void setMessageSource(MessageSource messageSource)
void setSuccessHandler(AuthenticationSuccessHandler successHandler)
Used to define custom behaviour on a successful switch or exit user.
void setSwitchFailureUrl(String switchFailureUrl)
Sets the URL to which a user should be redirected if the switch fails.
void setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger)
void setSwitchUserUrl(String switchUserUrl)
Set the URL to respond to switch user processing.
void setTargetUrl(String targetUrl)
Sets the URL to go to after a successful switch / exit user request.
void setUserDetailsChecker(UserDetailsChecker userDetailsChecker)
void setUserDetailsService(UserDetailsService userDetailsService)
Sets the authentication data access object.
void setUsernameParameter(String usernameParameter)
Allows the parameter containing the username to be customized.
Protected Methods
Authentication attemptExitUser(HttpServletRequest request)
Attempt to exit from an already switched user.
Authentication attemptSwitchUser(HttpServletRequest request)
Attempt to switch to another user.
boolean requiresExitUser(HttpServletRequest request)
Checks the request URI for the presence of exitUserUrl.
boolean requiresSwitchUser(HttpServletRequest request)
Checks the request URI for the presence of switchUserUrl.
[Expand]
Inherited Methods
From class org.springframework.web.filter.GenericFilterBean
From class java.lang.Object
From interface javax.servlet.Filter
From interface org.springframework.beans.factory.BeanNameAware
From interface org.springframework.beans.factory.DisposableBean
From interface org.springframework.beans.factory.InitializingBean
From interface org.springframework.context.ApplicationEventPublisherAware
From interface org.springframework.context.MessageSourceAware
From interface org.springframework.web.context.ServletContextAware

Constants

public static final String ROLE_PREVIOUS_ADMINISTRATOR

Constant Value: "ROLE_PREVIOUS_ADMINISTRATOR"

public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY

Constant Value: "j_username"

Fields

protected MessageSourceAccessor messages

Public Constructors

public SwitchUserFilter ()

Public Methods

public void afterPropertiesSet ()

public void doFilter (ServletRequest req, ServletResponse res, FilterChain chain)

Throws
IOException
ServletException

public void setApplicationEventPublisher (ApplicationEventPublisher eventPublisher)

Throws
BeansException

public void setAuthenticationDetailsSource (AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource)

public void setExitUserUrl (String exitUserUrl)

Set the URL to respond to exit user processing.

Parameters
exitUserUrl The exit user URL.

public void setFailureHandler (AuthenticationFailureHandler failureHandler)

Used to define custom behaviour when a switch fails.

Can be used instead of setting switchFailureUrl.

public void setMessageSource (MessageSource messageSource)

public void setSuccessHandler (AuthenticationSuccessHandler successHandler)

Used to define custom behaviour on a successful switch or exit user.

Can be used instead of setting targetUrl.

public void setSwitchFailureUrl (String switchFailureUrl)

Sets the URL to which a user should be redirected if the switch fails. For example, this might happen because the account they are attempting to switch to is invalid (the user doesn't exist, account is locked etc).

If not set, an error message will be written to the response.

Use failureHandler instead if you need more customized behaviour.

Parameters
switchFailureUrl the url to redirect to.

public void setSwitchUserAuthorityChanger (SwitchUserAuthorityChanger switchUserAuthorityChanger)

Parameters
switchUserAuthorityChanger to use to fine-tune the authorities granted to subclasses (may be null if SwitchUserFilter should not fine-tune the authorities)

public void setSwitchUserUrl (String switchUserUrl)

Set the URL to respond to switch user processing.

Parameters
switchUserUrl The switch user URL.

public void setTargetUrl (String targetUrl)

Sets the URL to go to after a successful switch / exit user request. Use setSuccessHandler instead if you need more customized behaviour.

Parameters
targetUrl The target url.

public void setUserDetailsChecker (UserDetailsChecker userDetailsChecker)

public void setUserDetailsService (UserDetailsService userDetailsService)

Sets the authentication data access object.

Parameters
userDetailsService The UserDetailService which will be used to load information for the user that is being switched to.

public void setUsernameParameter (String usernameParameter)

Allows the parameter containing the username to be customized.

Parameters
usernameParameter the parameter name. Defaults to j_username

Protected Methods

protected Authentication attemptExitUser (HttpServletRequest request)

Attempt to exit from an already switched user.

Parameters
request The http servlet request
Returns
  • The original Authentication object or null otherwise.
Throws
AuthenticationCredentialsNotFoundException If no Authentication associated with this request.

protected Authentication attemptSwitchUser (HttpServletRequest request)

Attempt to switch to another user. If the user does not exist or is not active, return null.

Returns
  • The new Authentication request if successfully switched to another user, null otherwise.
Throws
UsernameNotFoundException If the target user is not found.
LockedException if the account is locked.
DisabledException If the target user is disabled.
AccountExpiredException If the target user account is expired.
CredentialsExpiredException If the target user credentials are expired.
AuthenticationException

protected boolean requiresExitUser (HttpServletRequest request)

Checks the request URI for the presence of exitUserUrl.

Parameters
request The http servlet request
Returns
  • true if the request requires a exit user, false otherwise.
See Also
  • SwitchUserFilter#exitUserUrl

protected boolean requiresSwitchUser (HttpServletRequest request)

Checks the request URI for the presence of switchUserUrl.

Parameters
request The http servlet request
Returns
  • true if the request requires a switch, false otherwise.
See Also
  • SwitchUserFilter#switchUserUrl