After researching this problem for the best part of the day, I've come to bit of a fork in the road and not really sure the best path to take. I can see there would be a few different ways to implement a solution, but I guess it would be helpful if someone with a bit more experience could provide a bit of insight on the best way to implement this in spring security.

I have set up a UserDetailsService that gets the UserDetails and default GrantedAuthorities .. all of that is working fine.

The problem is this:

I have a security model based on departments. i.e. a user can have a different role and set of permissions based on the department they're logging in to. They have a default department which can be used for their initial log in, but if the user wants to change departments, I need to change the GrantedAuthorities for the current user session. What's the best way to attack this problem?

Alternatively, I thought of setting a cookie for the department, redirecting and creating a new user session ...

Any help would be appreciated.

Anyone have any ideas?? Is it ok to set a new Authentication object in the SecurityContext? Will it be accepted for the current session?

Jason

I have not tried it but I use a custom authorities provisioner to handle my roles and i think it could handle this .

There may be some protections in place to prevent inaccurate session escalation but I am not sure

I will see what I can dig up and post here.

Thanks Stimpy. I'll post here when/if I find anything in the interim.

Jason

I took a look at my running code .

I implemented LdapAuthoritiesPopulator to setup my initial authorities. It would seem that you might also be able to set the authorities to a a new list representing a user with higher permissions.


If I get a chance I will make up a test case and post the results.

BTW i got this far by using the Spring security 3.0 book ..it helped me alot

Hi Stimpy,
Thanks for the feedback. I managed to get a proof of concept working using the following constructor and then setting this Authentication object in the SecurityContext. This sets the new GrantedAuthority list and avoids having to re-authenticate the user.

UsernamePasswordAuthenticationToken(java.lang.Obje ct principal, java.lang.Object credentials, java.util.Collection<? extends GrantedAuthority> authorities)
This constructor should only be used by AuthenticationManager or AuthenticationProvider implementations that are satisfied with producing a trusted (i.e. AbstractAuthenticationToken.isAuthenticated() = true) authentication token.

If you create the new Authentication object using the constructor without the list of GrantedAuthorities, SS will attempt to re-authenticate the user using the new principle and credentials and set the Grants based on whatever UserDetailsService you have set up.

UsernamePasswordAuthenticationToken(java.lang.Obje ct principal, java.lang.Object credentials)

Ref: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.html#UsernameP asswordAuthenticationToken%28java.lang.Object,%20j ava.lang.Object,%20java.util.Collection%29

Here is my test case. The new Grants are accepted and the user session continues to be authenticated.




private void setNewPermissions(List<String> permissionList){

Authentication newAuth = null;
Authentication auth = null;

// Get the security context
SecurityContext context = SecurityContextHolder.getContext();

// Get the current Authentication object
if(context != null){
auth = context.getAuthentication();
if(auth!=null){
System.out.println(auth.toString());
System.out.println("=== credentials: [[[" + auth.getCredentials() + "]]]");
}
}

//Authentication auth = new UsernamePasswordAuthenticationToken()
if(auth != null && permissionList != null){
// create the new GrantedAuthority collection
Collection<GrantedAuthority> auths = new Vector<GrantedAuthority>();
for (String perm : permissionList) {
auths.add(new GrantedAuthorityImpl(perm));
}

// create a new authentication object
newAuth = new UsernamePasswordAuthenticationToken(auth.getPrinci pal(), auth.getCredentials(), auths);
context.setAuthentication(newAuth);
}
}
}