Results 1 to 3 of 3

Thread: [After changed authentication, intercept-url pattern keeps forwarding to login page ]

  1. Nov 30th, 2012, 08:41 AM #1
    eva500
    eva500 is offline Junior Member
    Join Date
    Jan 2012
    Posts
    22

    Default [After changed authentication, intercept-url pattern keeps forwarding to login page ]

    What I need to do is,

    1. Once I login with an id and a password (e.g. user1/pw1), use some pages corresponding to user1
    2. And then switch the user1 to another id (e.g. user2) and then use some other pages corresponding to user2.
    without logout and login via login page.
    3 And then switch user2 back to user1 in a menu and use some other pages corresponding to user1
    without logout and login via login page..

    To change account in a controller, I changeAccount(String newUserId) is defineded in BaseController.java

    In security.xml, I defined intercept-url patterns as follow,
    so whenever I choose any jsp files under file or group directory, it goes to login page, if a user didn't login.

    Code:
    <intercept-url pattern="/file/**" access="ROLE_USER"/>
<intercept-url pattern="/group/**" access="ROLE_USER"/>

    Code:
    @Controller
public class BaseController {
...
 public void changeAccount(String newUserId) {
  //SecurityContext ctx = new SecurityContextImpl();
  SecurityContext ctx = SecurityContextHolder.getContext();
  ctx.setAuthentication(new UsernamePasswordAuthenticationToken(newUserId, null));
  SecurityContextHolder.setContext(ctx);
	
  SecurityContextHolder.getContext().getAuthentication().getName());
  String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
  System.out.println("currentSessionUserId : "+ currentSessionUserId);
 }
...
}
    For example, I called changeAccount("user2") to change sessionId from user1 to user2
    in a controller FileController.java by calling changeAccount(selectedAccountId).

    Code:
    @Controller
public class FileController extends BaseController {
    ...	
    protected ModelAndView changeAccount(@ModelAttribute("user") User user, Model model) throws Exception {
		
		changeAccount(selectedAccountId);
		...
		return new ModelAndView("file/file");
   }
    After I changed id from user1 to user2,
    Code:
      String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
    displays user2 correctly.

    BUT, since
    Code:
    <intercept-url pattern="/file/**" access="ROLE_USER"/>
<intercept-url pattern="/group/**" access="ROLE_USER"/>
    are defined, so when I choose any menu under /file or /group (e.g., /file/file.htm or /group/group.htm),
    it is fowarded to login menu.
    Which means even though
    Code:
    SecurityContextHolder.getContext().getAuthentication().getName();
    correctly changed the authentication, but this is not considered as logined user by intercept-url.

    How can I make it work?
    What I want if whenever I change to another user after I login a certain id (user1 --> user2),
    it (user2) must be considered as legitimate login person so as not to be forwarded to login menu.
    Last edited by eva500; Nov 30th, 2012 at 08:47 AM.
    Reply With Quote Reply With Quote
  2. Nov 30th, 2012, 11:01 AM #2
    eva500
    eva500 is offline Junior Member
    Join Date
    Jan 2012
    Posts
    22

    Default Self reply

    I just found it. But for those who have the same problem.
    You need to use GrantedAuthority like below.

    Code:
    		SecurityContext ctx = SecurityContextHolder.getContext();
		
		List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
		authorities.add(new GrantedAuthorityImpl("ROLE_USER"));
		Authentication auth = new UsernamePasswordAuthenticationToken(newUserId, null, authorities);
		ctx.setAuthentication(auth);
		SecurityContextHolder.setContext(ctx);

    Quote Originally Posted by eva500 View Post
    What I need to do is,

    1. Once I login with an id and a password (e.g. user1/pw1), use some pages corresponding to user1
    2. And then switch the user1 to another id (e.g. user2) and then use some other pages corresponding to user2.
    without logout and login via login page.
    3 And then switch user2 back to user1 in a menu and use some other pages corresponding to user1
    without logout and login via login page..

    To change account in a controller, I changeAccount(String newUserId) is defineded in BaseController.java

    In security.xml, I defined intercept-url patterns as follow,
    so whenever I choose any jsp files under file or group directory, it goes to login page, if a user didn't login.

    Code:
    <intercept-url pattern="/file/**" access="ROLE_USER"/>
<intercept-url pattern="/group/**" access="ROLE_USER"/>

    Code:
    @Controller
public class BaseController {
...
 public void changeAccount(String newUserId) {
  //SecurityContext ctx = new SecurityContextImpl();
  SecurityContext ctx = SecurityContextHolder.getContext();
  ctx.setAuthentication(new UsernamePasswordAuthenticationToken(newUserId, null));
  SecurityContextHolder.setContext(ctx);
	
  SecurityContextHolder.getContext().getAuthentication().getName());
  String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
  System.out.println("currentSessionUserId : "+ currentSessionUserId);
 }
...
}
    For example, I called changeAccount("user2") to change sessionId from user1 to user2
    in a controller FileController.java by calling changeAccount(selectedAccountId).

    Code:
    @Controller
public class FileController extends BaseController {
    ...	
    protected ModelAndView changeAccount(@ModelAttribute("user") User user, Model model) throws Exception {
		
		changeAccount(selectedAccountId);
		...
		return new ModelAndView("file/file");
   }
    After I changed id from user1 to user2,
    Code:
      String currentSessionUserId = SecurityContextHolder.getContext().getAuthentication().getName();
    displays user2 correctly.

    BUT, since
    Code:
    <intercept-url pattern="/file/**" access="ROLE_USER"/>
<intercept-url pattern="/group/**" access="ROLE_USER"/>
    are defined, so when I choose any menu under /file or /group (e.g., /file/file.htm or /group/group.htm),
    it is fowarded to login menu.
    Which means even though
    Code:
    SecurityContextHolder.getContext().getAuthentication().getName();
    correctly changed the authentication, but this is not considered as logined user by intercept-url.

    How can I make it work?
    What I want if whenever I change to another user after I login a certain id (user1 --> user2),
    it (user2) must be considered as legitimate login person so as not to be forwarded to login menu.
    Reply With Quote Reply With Quote
  3. Dec 3rd, 2012, 05:51 AM #3
    Marten Deinum
    Marten Deinum is offline Senior Member
    Join Date
    Jun 2006
    Location
    The Netherlands
    Posts
    13,632

    Default

    Why are you hacking around with changing users yourself... Spring Security has that out-of-the-box... I suggest a read of the reference guide especially the Switch User support (also the API docs). Basically don't try to reinvent the wheel...
    Marten Deinum
    Java Consultant / Pragmatist / Open Source Enthousiast / Author

    Pro Spring MVC: With Web Flow
    Conspect

    Have you read the reference guide.
    Use the [ code ] tags, young padawan
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules