2

We're developing a website and we've encountered this issue: for this website there are 2 types of users: the customer and an administrator. The administrator can see all products (e.g. including expired products) while the customer can only see a subset.

We're achieving this through user restrictions for the customer group and the administrator group. Products are displayed according to the user logged in. If he belongs to the customer group then a set of restrictions apply, if he belongs to the administrator group another set of restrictions applies.

Now, it can be the case that an administrator wants to see the website from a customer perspective. Since it's impossible to have two users in the same session, currently the administrator is logged out by the system and is logged in as a user in the customer group. This situation however is not ideal.

Has anyone ever encountered this situation before and is there a clean solution somehow? The underlying technology is a custom server based on Tomcat 6.0.29. We're developing using Java.

Thanks :) Krt_Malta

Krt_Malta
  • 9,265
  • 18
  • 53
  • 91
  • Yes we are using Spring Security but I'm not aware of this method your are mentioning. Is it possible with Spring Security for the admin to see what the standard user can see without having to log out from admin? Regarding URLs, the website is still at development stage. – Krt_Malta Mar 05 '11 at 13:36
  • Could you give me a link where I can find more information about this please? – Krt_Malta Mar 05 '11 at 14:08

2 Answers2

3

@Krt_Malta: If you are using Spring Security, then you don't need to have the administrator to log out and then log back in as a user. To accomplish that, you will need to configure SwitchUserFilter... it allows the user to switch from one role to another without the need to log out, which is what you want.

limc
  • 39,366
  • 20
  • 100
  • 145
  • You're welcome. Note the older spring security releases use SwitchUserProcessingFilter: http://static.springsource.org/spring-security/site/docs/2.0.x/apidocs/org/springframework/security/ui/switchuser/SwitchUserProcessingFilter.html ... which is essentially the same thing, but with different filter name. – limc Mar 05 '11 at 15:12
0

I'm rather new to web development myself, but couldn't you have a field in a MySQL table called 'type', with a user either being a 'customer' or 'admin'? When someone logs in, the system could check their user type and if it's 'customer', the system could show the customer's view and if it's 'admin', the admin's view.

You could then also have another field in a table which only applies to 'admin' type users which basically says whether the admin is viewing in admin mode or customer mode. A button on every page in 'admin' view could toggle between 'admin' and 'customer' for this new field, and that can decide what view is shown.

Is that the kind of thing you're looking for?

Taimur
  • 3,171
  • 8
  • 32
  • 38
  • Thanks for your input Taimur :) Interacting with databases directly is not so nice I got to learn so although your method could work, it wouldn't be clean. Thanks still! – Krt_Malta Mar 05 '11 at 15:01