Ben,
Re: SEC-15
I have committed the initial draft of the Switch User ('su')
functionality. I created a new filter (SwitchUserProcessingFilter)
that handles the 'switch' and 'exit' url requests.
This filter also uses the authenticationDao to allow access to load
users. A few initial assumptions in this version
- will only 'su' one level deep
- switch url will need to be secured so that only the desired
Administrator can do the 'su'. We can probably get more fancy here
later, possibly doing more mapping of who can do this, and to which
target users. Anyway, starting simple.
Example configuration:
<bean id="switchUserProcessingFilter"
class="net.sf.acegisecurity.ui.switchuser.SwitchUserProcessingFilter">
<property name="authenticationDao" ref="jdbcDaoImpl" />
<property name="switchUserUrl">
<value>/j_acegi_switch_user</value>
</property>
<property name="exitUserUrl">
<value>/j_acegi_exit_user</value>
</property>
<property name="targetUrl">
<value>/acegi-security-sample-contacts-filter/secure/debug.jsp</value>
</property>
</bean>
Note: I have the 2 URLs (j_acegi_switch_user, j_acegi_exit_user)
configurable and these are the responsible for their respective
requests.
j_acegi_switch_user - will handle a switch attempt and expects the
username of the target user
j_acegi_exit_user - will handle the exit attempt and expects that
successful switch had taken place.
I used your recommendation of using a custom GrantedAuthority
(PREVIOUS_ADMINISTRATOR) to capture the original user. This is
interrogated in the exit attempt and used to switch the context back.
I did some local testing with the Contacts sample and did some simple tests of
- logging in (i.e. User 1)
- going to /secure/debug.jsp (view User 1 info)
- going to a jsp that handles the switch (i.e. switchUser.jsp)
- submit request to 'su' to another user (i.e. User 2)
- going to /secure/debug.jsp (view User 2 info)
- go to exit page (i.e. exitUser.jsp)
- display current user logged in as, submit button to exit
- going to /secure/debug.jsp (shows User 1 info)
So initial simple tests seem to work, need to polish and do alot more testing.
I have also added applicable unit tests.
Again, feedback welcome.
Cheers,
Mark
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
