Announcement Announcement Module
No announcement yet.
How to nest multiple SecureContexts? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to nest multiple SecureContexts?

    I'd like to emulate the 'su' command for our web application. I'd like one user (UserA) to be able to assume the identity of another user (UserB).

    When the second user (UserB) exits they would remain logged in as the original user (UserA).

    My initial though is to maintain a stack of Authentication instances in the http session. When a user logs in, whether for the first time or by assuming another identity, we push the new Authentication instance onto the stack after acegi has done the authentication.

    When a user logs out, we pop the Authentication instance from the stack and replace the instance that is stored in the SecureContext. If the stack is empty then we really complete the logout process.




  • #2
    You could do this anyway you like. You'd be creating a replacement for HttpSessionContextIntegrationFilter, as it's responsible for setting up a ContextHolder for each request. Acegi Security doesn't mind how it's setup, it just calls ContextHolder.getContext() and casts the returned Context to a SecureContext to obtain the Authentication.

    Don't forget RunAsManager. You could write a replacement version which looks at some other ContextHolder property that perhaps indicates the "current desired Authentication". As such it could swap it out during that invocation only. AbstractSecurityInterceptor handles returning the ContextHolder to the real Authentication at the end of the secure object proceeding.