Announcement Announcement Module
Collapse
No announcement yet.
[After changed authentication, intercept-url pattern keeps forwarding to login page ] Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • [After changed authentication, intercept-url pattern keeps forwarding to login page ]

    What I need to do is,

    1. Once I login with an id and a password (e.g. user1/pw1), use some pages corresponding to user1
    2. And then switch the user1 to another id (e.g. user2) and then use some other pages corresponding to user2.
    without logout and login via login page.
    3 And then switch user2 back to user1 in a menu and use some other pages corresponding to user1
    without logout and login via login page..

    To change account in a controller, I changeAccount(String newUserId) is defineded in BaseController.java

    In security.xml, I defined intercept-url patterns as follow,
    so whenever I choose any jsp files under file or group directory, it goes to login page, if a user didn't login.

    Code:
    <intercept-url pattern="/file/**" access="ROLE_USER"/>
    <intercept-url pattern="/group/**" access="ROLE_USER"/>

    Code:
    @Controller
    public class BaseController {
    ...
     public void changeAccount(String newUserId) {
      //SecurityContext ctx = new SecurityContextImpl();
      SecurityContext ctx = SecurityContextHolder.getContext();
      ctx.setAuthentication(new UsernamePasswordAuthenticationToken(newUserId, null));
      SecurityContextHolder.setContext(ctx);
    	
      SecurityContextHolder.getContext().getAuthentication().getName());
      String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
      System.out.println("currentSessionUserId : "+ currentSessionUserId);
     }
    ...
    }
    For example, I called changeAccount("user2") to change sessionId from user1 to user2
    in a controller FileController.java by calling changeAccount(selectedAccountId).

    Code:
    @Controller
    public class FileController extends BaseController {
        ...	
        protected ModelAndView changeAccount(@ModelAttribute("user") User user, Model model) throws Exception {
    		
    		changeAccount(selectedAccountId);
    		...
    		return new ModelAndView("file/file");
       }
    After I changed id from user1 to user2,
    Code:
      String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
    displays user2 correctly.


    BUT, since
    Code:
    <intercept-url pattern="/file/**" access="ROLE_USER"/>
    <intercept-url pattern="/group/**" access="ROLE_USER"/>
    are defined, so when I choose any menu under /file or /group (e.g., /file/file.htm or /group/group.htm),
    it is fowarded to login menu.

    Which means even though
    Code:
    SecurityContextHolder.getContext().getAuthentication().getName();
    correctly changed the authentication, but this is not considered as logined user by intercept-url.


    How can I make it work?
    What I want if whenever I change to another user after I login a certain id (user1 --> user2),
    it (user2) must be considered as legitimate login person so as not to be forwarded to login menu.
    Last edited by eva500; Nov 30th, 2012, 08:47 AM.

  • #2
    Self reply

    I just found it. But for those who have the same problem.
    You need to use GrantedAuthority like below.

    Code:
    		SecurityContext ctx = SecurityContextHolder.getContext();
    		
    		List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
    		authorities.add(new GrantedAuthorityImpl("ROLE_USER"));
    		Authentication auth = new UsernamePasswordAuthenticationToken(newUserId, null, authorities);
    		ctx.setAuthentication(auth);
    		SecurityContextHolder.setContext(ctx);

    Originally posted by eva500 View Post
    What I need to do is,

    1. Once I login with an id and a password (e.g. user1/pw1), use some pages corresponding to user1
    2. And then switch the user1 to another id (e.g. user2) and then use some other pages corresponding to user2.
    without logout and login via login page.
    3 And then switch user2 back to user1 in a menu and use some other pages corresponding to user1
    without logout and login via login page..

    To change account in a controller, I changeAccount(String newUserId) is defineded in BaseController.java

    In security.xml, I defined intercept-url patterns as follow,
    so whenever I choose any jsp files under file or group directory, it goes to login page, if a user didn't login.

    Code:
    <intercept-url pattern="/file/**" access="ROLE_USER"/>
    <intercept-url pattern="/group/**" access="ROLE_USER"/>

    Code:
    @Controller
    public class BaseController {
    ...
     public void changeAccount(String newUserId) {
      //SecurityContext ctx = new SecurityContextImpl();
      SecurityContext ctx = SecurityContextHolder.getContext();
      ctx.setAuthentication(new UsernamePasswordAuthenticationToken(newUserId, null));
      SecurityContextHolder.setContext(ctx);
    	
      SecurityContextHolder.getContext().getAuthentication().getName());
      String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
      System.out.println("currentSessionUserId : "+ currentSessionUserId);
     }
    ...
    }
    For example, I called changeAccount("user2") to change sessionId from user1 to user2
    in a controller FileController.java by calling changeAccount(selectedAccountId).

    Code:
    @Controller
    public class FileController extends BaseController {
        ...	
        protected ModelAndView changeAccount(@ModelAttribute("user") User user, Model model) throws Exception {
    		
    		changeAccount(selectedAccountId);
    		...
    		return new ModelAndView("file/file");
       }
    After I changed id from user1 to user2,
    Code:
      String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
    displays user2 correctly.


    BUT, since
    Code:
    <intercept-url pattern="/file/**" access="ROLE_USER"/>
    <intercept-url pattern="/group/**" access="ROLE_USER"/>
    are defined, so when I choose any menu under /file or /group (e.g., /file/file.htm or /group/group.htm),
    it is fowarded to login menu.

    Which means even though
    Code:
    SecurityContextHolder.getContext().getAuthentication().getName();
    correctly changed the authentication, but this is not considered as logined user by intercept-url.


    How can I make it work?
    What I want if whenever I change to another user after I login a certain id (user1 --> user2),
    it (user2) must be considered as legitimate login person so as not to be forwarded to login menu.

    Comment


    • #3
      Why are you hacking around with changing users yourself... Spring Security has that out-of-the-box... I suggest a read of the reference guide especially the Switch User support (also the API docs). Basically don't try to reinvent the wheel...

      Comment

      Working...
      X