java.lang.Object | ||
↳ | org.springframework.web.filter.GenericFilterBean | |
↳ | org.springframework.security.web.authentication.switchuser.SwitchUserFilter |
Switch User processing filter responsible for user context switching.
This filter is similar to Unix 'su' however for Spring Security-managed web applications. A common use-case for this feature is the ability to allow higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).
This filter assumes that the user performing the switch will be required to be logged in as normal (i.e.
as a ROLE_ADMIN user). The user will then access a page/controller that enables the administrator to specify who they
wish to become (see switchUserUrl
).
Note: This URL will be required to have appropriate security constraints configured so that only users of that role can access it (e.g. ROLE_ADMIN).
On a successful switch, the user's SecurityContext
will be updated to reflect the
specified user and will also contain an additional
SwitchUserGrantedAuthority
which contains the original user.
Before switching, a check will be made on whether the user is already currently switched, and any current switch will
be exited to prevent "nested" switches.
To 'exit' from a user context, the user needs to access a URL (see exitUserUrl
) that
will switch back to the original user as identified by the ROLE_PREVIOUS_ADMINISTRATOR
.
To configure the Switch User Processing Filter, create a bean definition for the Switch User processing filter and add to the filterChainProxy. Note that the filter must come after the FilterSecurityInteceptor in the chain, in order to apply the correct constraints to the switchUserUrl. Example:
<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter"> <property name="userDetailsService" ref="userDetailsService" /> <property name="switchUserUrl" value="/j_spring_security_switch_user" /> <property name="exitUserUrl" value="/j_spring_security_exit_user" /> <property name="targetUrl" value="/index.jsp" /> </bean>
Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
String | ROLE_PREVIOUS_ADMINISTRATOR | ||||||||||
String | SPRING_SECURITY_SWITCH_USERNAME_KEY |
Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
messages |
[Expand]
Inherited Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.web.filter.GenericFilterBean
|
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Set the URL to respond to exit user processing.
| |||||||||||
Used to define custom behaviour when a switch fails.
| |||||||||||
Used to define custom behaviour on a successful switch or exit user.
| |||||||||||
Sets the URL to which a user should be redirected if the switch fails.
| |||||||||||
Set the URL to respond to switch user processing.
| |||||||||||
Sets the URL to go to after a successful switch / exit user request.
| |||||||||||
Sets the authentication data access object.
| |||||||||||
Allows the parameter containing the username to be customized.
|
Protected Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Attempt to exit from an already switched user.
| |||||||||||
Attempt to switch to another user.
| |||||||||||
Checks the request URI for the presence of exitUserUrl.
| |||||||||||
Checks the request URI for the presence of switchUserUrl.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.web.filter.GenericFilterBean
| |||||||||||
From class
java.lang.Object
| |||||||||||
From interface
javax.servlet.Filter
| |||||||||||
From interface
org.springframework.beans.factory.BeanNameAware
| |||||||||||
From interface
org.springframework.beans.factory.DisposableBean
| |||||||||||
From interface
org.springframework.beans.factory.InitializingBean
| |||||||||||
From interface
org.springframework.context.ApplicationEventPublisherAware
| |||||||||||
From interface
org.springframework.context.MessageSourceAware
| |||||||||||
From interface
org.springframework.web.context.ServletContextAware
|
IOException | |
---|---|
ServletException |
BeansException |
---|
Set the URL to respond to exit user processing.
exitUserUrl | The exit user URL. |
---|
Used to define custom behaviour when a switch fails.
Can be used instead of setting switchFailureUrl.
Used to define custom behaviour on a successful switch or exit user.
Can be used instead of setting targetUrl.
Sets the URL to which a user should be redirected if the switch fails. For example, this might happen because the account they are attempting to switch to is invalid (the user doesn't exist, account is locked etc).
If not set, an error message will be written to the response.
Use failureHandler
instead if you need more
customized behaviour.
switchFailureUrl | the url to redirect to. |
---|
switchUserAuthorityChanger | to use to fine-tune the authorities granted to subclasses (may be null if SwitchUserFilter should not fine-tune the authorities) |
---|
Set the URL to respond to switch user processing.
switchUserUrl | The switch user URL. |
---|
Sets the URL to go to after a successful switch / exit user request.
Use setSuccessHandler
instead if you need more
customized behaviour.
targetUrl | The target url. |
---|
Sets the authentication data access object.
userDetailsService | The UserDetailService which will be used to load information for the user that is being switched to. |
---|
Allows the parameter containing the username to be customized.
usernameParameter | the parameter name. Defaults to j_username
|
---|
Attempt to exit from an already switched user.
request | The http servlet request |
---|
Authentication
object or null
otherwise.AuthenticationCredentialsNotFoundException | If no Authentication associated with this
request.
|
---|
Attempt to switch to another user. If the user does not exist or is not active, return null.
Authentication
request if successfully switched to another user, null
otherwise.UsernameNotFoundException | If the target user is not found. |
---|---|
LockedException | if the account is locked. |
DisabledException | If the target user is disabled. |
AccountExpiredException | If the target user account is expired. |
CredentialsExpiredException | If the target user credentials are expired. |
AuthenticationException |
Checks the request URI for the presence of exitUserUrl.
request | The http servlet request |
---|
true
if the request requires a exit user, false
otherwise.Checks the request URI for the presence of switchUserUrl.
request | The http servlet request |
---|
true
if the request requires a switch, false
otherwise.