org.springframework.security.web.server.authentication

Class SwitchUserWebFilter

java.lang.Object

org.springframework.security.web.server.authentication.SwitchUserWebFilter

All Implemented Interfaces:

org.springframework.web.server.WebFilter

public class SwitchUserWebFilter
extends java.lang.Object
implements org.springframework.web.server.WebFilter

Switch User processing filter responsible for user context switching. A common use-case for this feature is the ability to allow higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).

This filter assumes that the user performing the switch will be required to be logged in as normal user (i.e. with a ROLE_ADMIN role). The user will then access a page/controller that enables the administrator to specify who they wish to become (see switchUserUrl).

Note: This URL will be required to have appropriate security constraints configured so that only users of that role can access it (e.g. ROLE_ADMIN).

On a successful switch, the user's SecurityContext will be updated to reflect the specified user and will also contain an additional SwitchUserGrantedAuthority which contains the original user. Before switching, a check will be made on whether the user is already currently switched, and any current switch will be exited to prevent "nested" switches.

To 'exit' from a user context, the user needs to access a URL (see exitUserUrl) that will switch back to the original user as identified by the ROLE_PREVIOUS_ADMINISTRATOR.

To configure the Switch User Processing Filter, create a bean definition for the Switch User processing filter and add to the filterChainProxy. Note that the filter must come after the org.springframework.security.config.web.server.SecurityWebFiltersOrder#AUTHORIZATION in the chain, in order to apply the correct constraints to the switchUserUrl. Example:

 SwitchUserWebFilter filter = new SwitchUserWebFilter(userDetailsService, loginSuccessHandler, failureHandler);
 http.addFilterAfter(filter, SecurityWebFiltersOrder.AUTHORIZATION);
 

Since:

5.4

See Also:

SwitchUserGrantedAuthority

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	ROLE_PREVIOUS_ADMINISTRATOR
static java.lang.String	SPRING_SECURITY_SWITCH_USERNAME_KEY

Constructor Summary

Constructors

Constructor and Description
SwitchUserWebFilter(org.springframework.security.core.userdetails.ReactiveUserDetailsService userDetailsService, ServerAuthenticationSuccessHandler successHandler, ServerAuthenticationFailureHandler failureHandler) Creates a filter for the user context switching
SwitchUserWebFilter(org.springframework.security.core.userdetails.ReactiveUserDetailsService userDetailsService, java.lang.String successTargetUrl, java.lang.String failureTargetUrl) Creates a filter for the user context switching

Method Summary

Modifier and Type	Method and Description
protected reactor.core.publisher.Mono<org.springframework.security.core.Authentication>	exitSwitchUser(WebFilterExchange webFilterExchange) Attempt to exit from an already switched user.
reactor.core.publisher.Mono<java.lang.Void>	filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
protected java.lang.String	getUsername(org.springframework.web.server.ServerWebExchange exchange) Returns the name of the target user.
void	setExitUserMatcher(ServerWebExchangeMatcher exitUserMatcher) Set the matcher to respond to exit user processing.
void	setExitUserUrl(java.lang.String exitUserUrl) Set the URL to respond to exit user processing.
void	setSecurityContextRepository(ServerSecurityContextRepository securityContextRepository) Sets the repository for persisting the SecurityContext.
void	setSwitchUserMatcher(ServerWebExchangeMatcher switchUserMatcher) Set the matcher to respond to switch user processing.
void	setSwitchUserUrl(java.lang.String switchUserUrl) Set the URL to respond to switch user processing.
protected reactor.core.publisher.Mono<org.springframework.security.core.Authentication>	switchUser(WebFilterExchange webFilterExchange) Attempt to switch to another user.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SPRING_SECURITY_SWITCH_USERNAME_KEY

public static final java.lang.String SPRING_SECURITY_SWITCH_USERNAME_KEY

See Also:

Constant Field Values

ROLE_PREVIOUS_ADMINISTRATOR

public static final java.lang.String ROLE_PREVIOUS_ADMINISTRATOR

See Also:

Constant Field Values

Constructor Detail

SwitchUserWebFilter

public SwitchUserWebFilter(org.springframework.security.core.userdetails.ReactiveUserDetailsService userDetailsService,
                           ServerAuthenticationSuccessHandler successHandler,
                           @Nullable
                           ServerAuthenticationFailureHandler failureHandler)

Creates a filter for the user context switching

Parameters:

userDetailsService - The UserDetailService which will be used to load information for the user that is being switched to.

successHandler - Used to define custom behaviour on a successful switch or exit user.

failureHandler - Used to define custom behaviour when a switch fails.

SwitchUserWebFilter

public SwitchUserWebFilter(org.springframework.security.core.userdetails.ReactiveUserDetailsService userDetailsService,
                           java.lang.String successTargetUrl,
                           @Nullable
                           java.lang.String failureTargetUrl)

Creates a filter for the user context switching

Parameters:

userDetailsService - The UserDetailService which will be used to load information for the user that is being switched to.

successTargetUrl - Sets the URL to go to after a successful switch / exit user request

failureTargetUrl - The URL to which a user should be redirected if the switch fails

Method Detail

filter

public reactor.core.publisher.Mono<java.lang.Void> filter(org.springframework.web.server.ServerWebExchange exchange,
                                                          org.springframework.web.server.WebFilterChain chain)

Specified by:

filter in interface org.springframework.web.server.WebFilter

switchUser

protected reactor.core.publisher.Mono<org.springframework.security.core.Authentication> switchUser(WebFilterExchange webFilterExchange)

Attempt to switch to another user.

Parameters:

webFilterExchange - The web filter exchange

Returns:

The new Authentication object if successfully switched to another user, Mono.empty() otherwise.

Throws:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException - If the target user can not be found by username

exitSwitchUser

protected reactor.core.publisher.Mono<org.springframework.security.core.Authentication> exitSwitchUser(WebFilterExchange webFilterExchange)

Attempt to exit from an already switched user.

Parameters:

webFilterExchange - The web filter exchange

Returns:

The original Authentication object.

Throws:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException - If there is no Authentication associated with this request or the user is not switched.

getUsername

protected java.lang.String getUsername(org.springframework.web.server.ServerWebExchange exchange)

Returns the name of the target user.

Parameters:

exchange - The server web exchange

Returns:

the name of the target user.

setSecurityContextRepository

public void setSecurityContextRepository(ServerSecurityContextRepository securityContextRepository)

Sets the repository for persisting the SecurityContext. Default is WebSessionServerSecurityContextRepository

Parameters:

securityContextRepository - the repository to use

setExitUserUrl

public void setExitUserUrl(java.lang.String exitUserUrl)

Set the URL to respond to exit user processing. This is a shortcut for * setExitUserMatcher(ServerWebExchangeMatcher)

Parameters:

exitUserUrl - The exit user URL.

setExitUserMatcher

public void setExitUserMatcher(ServerWebExchangeMatcher exitUserMatcher)

Set the matcher to respond to exit user processing.

Parameters:

exitUserMatcher - The exit matcher to use

setSwitchUserUrl

public void setSwitchUserUrl(java.lang.String switchUserUrl)

Set the URL to respond to switch user processing. This is a shortcut for setSwitchUserMatcher(ServerWebExchangeMatcher)

Parameters:

switchUserUrl - The switch user URL.

setSwitchUserMatcher

public void setSwitchUserMatcher(ServerWebExchangeMatcher switchUserMatcher)

Set the matcher to respond to switch user processing.

Parameters:

switchUserMatcher - The switch user matcher.