1

If you have used Gitlab - it has an impersonsation feature where if your user has the 'owner' role the can 'impersonate' any user that has been created on the system by clicking a button and see what they see.

I would like to understand how can one implement a feature like that? what is the software design / architecture for it.

I am planning to design and implement this functionality in Java, Spring and Tomcat using server side sessions and would prefer to roll-out my own impersonation feature instead of using a library

andthereitgoes
  • 819
  • 2
  • 10
  • 24

1 Answers1

1

If you want a specific solution that GitLab implemented in Ruby, you could take a look at the commit that introduced the feature: Commit 3bb626f9 - refactor login as to be impersonation with better login/logout

Please note that the security issue introduced on this commit was later fixed later: GitLab Blog Post - Critical Security Release for GitLab 8.2 through 8.7

Otherwise, I think this question is too broad. I need some more details - Framework, Current Authentication mechanism, etc.

EDIT: I do not know Java Spring framework too well, but these links may help you:

  1. spring security (3.0.x) and user impersonation
  2. How to do impersonation in spring
dey.shin
  • 990
  • 10
  • 21
  • what do you mean by framework? Current authentication mechanism is basic auth. Once I hear from you, I will update the question with relevant information – andthereitgoes Feb 09 '18 at 03:10
  • @andthereitgoes, - Regarding Framework - what language are you using? C#? JS? Ruby? going forward with it, what framework are you using on top of that? Example of that may be ASP.NET, Express, Ruby on Rails, Django, etc - Regarding Auth - Do you use sessions managed on the server to keep the auth related info? Or do you use something like JWT to keep it all in the client side? – dey.shin Feb 09 '18 at 15:07
  • @dev.shin thanks. i have added more clarification to the question, Java, Spring and Tomcat using server side sessions. – andthereitgoes Feb 10 '18 at 16:03
  • @andthereitgoes, I don't know Java Spring too much - I added some links that maybe helpful. – dey.shin Feb 12 '18 at 15:04