1

We have multiple portals Employer-portal, Employee-portal and Admin-portal , All three portals are deployed separately. All portals follow spring-mvc pattern. And we used spring security and using openId for login and logout.

Now we want to give admin-portal feature that admin can impersonate as employee and employer and do things on their behalf.

Can any body with previous experience guide my how to work on it, or can share any good article which i can readout to get good knowledge over it.

Thanks,

Zuned Ahmed
  • 1,357
  • 6
  • 29
  • 56
  • http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#runas – sodik Aug 28 '14 at 10:36

1 Answers1

0

From your question, it doesn't sound like you really want 'runAsManager'.

One way would be to use something like an 'impersonate' method, which itself would need to be secured of course, maybe using method level security annotations.

For that, you can use something like:

@PreAuthorize("hasRole('ROLE_ADMIN')")

Essentially, what you need to do is to build an authentication object and populate the Security Context (ThreadLocal) with that.

Something like:

Authentication other = createAuthentication(someUsername); //Implement this
SecurityContextHolder.getContext().setAuthentication(other);

I can see the appeal of this approach, but of course, whether or not it's a good idea depends on what you're allowing admins to do on the user's behalf. Spend their money? See their emails? If the use case is valid, at least audit this kind of operation.

Once impersonating another user like this, the current user will need to log out and log in again to switch back to their own account.

Mick Sear
  • 1,549
  • 15
  • 25
  • Do i have to overlay the employee and employer portal over admin portal or else we can login to employer portal ? – Zuned Ahmed Aug 28 '14 at 14:49
  • If you use the same framework and have the same source of users, then would you not allow the admin user to log into the other two portals, and then provide a method in each of those to become a less privileged user? If so, then I don't think you need to overlay, no. You provide the functionality in the employer / employee apps with a single MVC method and secured service method. – Mick Sear Aug 29 '14 at 09:19