For testing APIs, there is a need to allow certain privileged users to impersonate other users. We already provide this feature in our web applications through Spring Security's "Switch User" filter.
The API apps are a little different from traditional web apps in that the security context is stateless - a user's authorization information is not preserved between requests. Spring's switch-user functionality assumes the traditional stateful setup, so out-of-the-box does not support the stateless API model.
What we want to happen in a single request:
A new filter was created in csf-security to handle this functionality: edu.mit.csf.security.spring.filter.SwitchUserOnceFilter
For a web app to use this filter, it must be configured as a bean using this XML:
<bean id="switchUserOnceFilter" class="edu.mit.csf.security.spring.filter.SwitchUserOnceFilter"> <property name="userDetailsService" ref="mitAuthorizationUserDetailService"/> <property name="targetUrl" value="/"/> <property name="switchUserRole" value="ESAPIS_IMPERSONATE" /> </bean> |
The filter should be configured into the Spring Security chain of filters BEFORE the filterSecurityInterceptor entry, e.g.:
<security:filter-chain pattern="/**" filters="esapisSecurityContextNonPersistenceFilter,
logoutFilter,
hashAuthenticationProcessingFilter,
esapisAuthenticationProcessingFilter,
basicAuthenticationProcessingFilter,
exceptionTranslationFilter,
switchUserOnceFilter,
filterSecurityInterceptor"
/>
|