Feb 6th, 2013, 05:33 AM
Implementing RunAsManager. Need advice
I plan to implement RunAsManager since I believe it's the only way to reset the authentication object stored in the SecurityContext. The reason why I want this implemented is because after the user logs in, I have another authentication page which asks for the users email. When the user enters the correct email address, I would want to add a GrantedAuthority to his current list of Authorities. Is this possible and is this the best way to do this?
Basically, I want my web application to function like this:
1. User logs in, enters username and password. Upon successfully authentication, user will have a role called ROLE_LOGIN
2. After successful login, the user gets redirected to a page where the user should supply his/her own email address. If the email address is valid, add another authority in his List<GrantedAuthority> called ROLE_USER.
Last edited by mportugal; Feb 6th, 2013 at 05:43 AM.
Reason: More information
Feb 6th, 2013, 06:09 AM
Why would you need a RuNAsManager for that?!
Get current authentication object from security context, create a new one with additional role, put that new one in security context and you are good to go.
Feb 6th, 2013, 06:16 AM
Is that safe? Is there any other way to alter the Authentication object besides retrieving and updating the SecurityContext manually?
Feb 6th, 2013, 06:19 AM
No... Why should there be another way, that is also what Spring Security does, the new object is stored after the request so on subsequent requests you have the new instance.
Tags for this Thread