[After changed authentication, intercept-url pattern keeps forwarding to login page ]

What I need to do is,

1. Once I login with an id and a password (e.g. user1/pw1), use some pages corresponding to user1
2. And then switch the user1 to another id (e.g. user2) and then use some other pages corresponding to user2.
without logout and login via login page.
3 And then switch user2 back to user1 in a menu and use some other pages corresponding to user1
without logout and login via login page..

To change account in a controller, I changeAccount(String newUserId) is defineded in BaseController.java

In security.xml, I defined intercept-url patterns as follow,
so whenever I choose any jsp files under file or group directory, it goes to login page, if a user didn't login.

Code:

---

<intercept-url pattern="/file/**" access="ROLE_USER"/>
<intercept-url pattern="/group/**" access="ROLE_USER"/>

---

Code:

---

@Controller
public class BaseController {
...
 public void changeAccount(String newUserId) {
  //SecurityContext ctx = new SecurityContextImpl();
  SecurityContext ctx = SecurityContextHolder.getContext();
  ctx.setAuthentication(new UsernamePasswordAuthenticationToken(newUserId, null));
  SecurityContextHolder.setContext(ctx);
       
  SecurityContextHolder.getContext().getAuthentication().getName());
  String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
  System.out.println("currentSessionUserId : "+ currentSessionUserId);
 }
...
}

---

For example, I called changeAccount("user2") to change sessionId from user1 to user2
in a controller FileController.java by calling changeAccount(selectedAccountId).

Code:

---

@Controller
public class FileController extends BaseController {
    ...       
    protected ModelAndView changeAccount(@ModelAttribute("user") User user, Model model) throws Exception {
               
                changeAccount(selectedAccountId);
                ...
                return new ModelAndView("file/file");
  }

---

After I changed id from user1 to user2,

Code:

---

  String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();

---

displays user2 correctly.

BUT, since

Code:

---

<intercept-url pattern="/file/**" access="ROLE_USER"/>
<intercept-url pattern="/group/**" access="ROLE_USER"/>

---

are defined, so when I choose any menu under /file or /group (e.g., /file/file.htm or /group/group.htm),
it is fowarded to login menu.
Which means even though

Code:

---

SecurityContextHolder.getContext().getAuthentication().getName();

---

correctly changed the authentication, but this is not considered as logined user by intercept-url.

How can I make it work?
What I want if whenever I change to another user after I login a certain id (user1 --> user2),
it (user2) must be considered as legitimate login person so as not to be forwarded to login menu.

I just found it. But for those who have the same problem.
You need to use GrantedAuthority like below.

Code:

---

                SecurityContext ctx = SecurityContextHolder.getContext();
               
                List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
                authorities.add(new GrantedAuthorityImpl("ROLE_USER"));
                Authentication auth = new UsernamePasswordAuthenticationToken(newUserId, null, authorities);
                ctx.setAuthentication(auth);
                SecurityContextHolder.setContext(ctx);

---

Quote:

---

Originally Posted by eva500

What I need to do is,

1. Once I login with an id and a password (e.g. user1/pw1), use some pages corresponding to user1
2. And then switch the user1 to another id (e.g. user2) and then use some other pages corresponding to user2.
without logout and login via login page.
3 And then switch user2 back to user1 in a menu and use some other pages corresponding to user1
without logout and login via login page..

To change account in a controller, I changeAccount(String newUserId) is defineded in BaseController.java

In security.xml, I defined intercept-url patterns as follow,
so whenever I choose any jsp files under file or group directory, it goes to login page, if a user didn't login.

Code:

---

<intercept-url pattern="/file/**" access="ROLE_USER"/>
<intercept-url pattern="/group/**" access="ROLE_USER"/>

---

Code:

---

@Controller
public class BaseController {
...
 public void changeAccount(String newUserId) {
  //SecurityContext ctx = new SecurityContextImpl();
  SecurityContext ctx = SecurityContextHolder.getContext();
  ctx.setAuthentication(new UsernamePasswordAuthenticationToken(newUserId, null));
  SecurityContextHolder.setContext(ctx);
       
  SecurityContextHolder.getContext().getAuthentication().getName());
  String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
  System.out.println("currentSessionUserId : "+ currentSessionUserId);
 }
...
}

---

For example, I called changeAccount("user2") to change sessionId from user1 to user2
in a controller FileController.java by calling changeAccount(selectedAccountId).

Code:

---

@Controller
public class FileController extends BaseController {
    ...       
    protected ModelAndView changeAccount(@ModelAttribute("user") User user, Model model) throws Exception {
               
                changeAccount(selectedAccountId);
                ...
                return new ModelAndView("file/file");
  }

---

After I changed id from user1 to user2,

Code:

---

  String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();

---

displays user2 correctly.

BUT, since

Code:

---

<intercept-url pattern="/file/**" access="ROLE_USER"/>
<intercept-url pattern="/group/**" access="ROLE_USER"/>

---

are defined, so when I choose any menu under /file or /group (e.g., /file/file.htm or /group/group.htm),
it is fowarded to login menu.
Which means even though

Code:

---

SecurityContextHolder.getContext().getAuthentication().getName();

---

correctly changed the authentication, but this is not considered as logined user by intercept-url.

How can I make it work?
What I want if whenever I change to another user after I login a certain id (user1 --> user2),
it (user2) must be considered as legitimate login person so as not to be forwarded to login menu.

---

Why are you hacking around with changing users yourself... Spring Security has that out-of-the-box... I suggest a read of the reference guide especially the Switch User support (also the API docs). Basically don't try to reinvent the wheel...