Switch user functionality in admin module.Login as some user

[shreyasht]

Hi ,

I hope this helps someone trying to implement something I had to do in my BLC based project. So the requirement was to implement a switch in the admin module by which admin people can login into some user's account without knowing their password. This was to be done just for the sake of troubleshooting the application from the customer's login. This kind of functionality is not provided by BLC framework in the admin module by-default.The trick here was to user SwitchUserFilter provided by spring-security.

You need to add this bean

Code: Select all

   <bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
     <property name="userDetailsService" ref="userDetailsService" />
     <property name="switchUserUrl" value="/j_spring_security_switch_user" />
     <property name="switchFailureUrl" value="/" />
     <property name="exitUserUrl" value="/j_spring_security_exit_user" />
     <property name="targetUrl" value="/targetUrl" />       
  </bean>

to your security context XML file and then set it up before the FILTER_SECURITY_INTERCEPTOR like this :

Code: Select all

<sec:custom-filter ref="switchUserProcessingFilter" after="FILTER_SECURITY_INTERCEPTOR"/>

Once the above two steps are done you should add this type of code to your XML

Code: Select all

<sec:intercept-url pattern="/j_spring_security_switch_user" access="ROLE_ADMIN"/>

The above code ensures that only users with specific privileges can only login into customer's account. For changes on the database side you need to add a role to the blc_role table (this role should be ROLE_ADMIN). Next change in DB would be to assign this newly created role to a user. You can do that in the table blc_customer_role_xref.

That's it! You are set on the website side. Now all you need to do is hit the url http://www.yoursite.com/j_spring_securi ... e=username

You will be presented with a login screen of your application and you need to type in the credentials of your ROLE_ADMIN user.

Reference: http://www.reverttoconsole.com/blog/spr ... in-spring/

Cheers
Shreyash

[fdboles]

Awesome tip! I used this for the same requirement. In my case, I am using Broadleaf 2.2 with the Combined site configuration. With this, I get a very tight integration between Admin and Site portals. I have a few additional tips to make this more useful in this configuration.

Spring switch user expects the target user in the parameter 'j_username' so the sample link should actually be

Code: Select all

http://www.yoursite.com/j_spring_security_switch_user?j_username=username.

Switch user also assumes that security restrictions have already been verified when the filter is executed. This allows triggering the filter from the Admin portal using appropriate security and eliminates the need to add the "ROLE_ADMIN" and pseudo-user to the customer account data. The filter should be executed BEFORE FILTER_SECURITY_INTERCEPTOR to avoid the site portal login screen.

Code: Select all

<sec:custom-filter ref="switchUserProcessingFilter" before="FILTER_SECURITY_INTERCEPTOR"/>

NOTE: This opens access to switch user functionality, so I recommend obfuscating the switchUserUrl and exitUserUrl paths making them harder to find. If there are any suggestions to make this more secure I'd love to hear them.

One more thing... I used a smartgwt HTMLPane to display the Site portal in the Admin portal when logging in as a customer. This worked very well, keeping the administrator in the Admin portal while logged into Site portal as the customer. After logging out from the Site portal, the administrator must log back into the Admin site due to the switch.

If anyone has any additional improvements to this approach, please enlighten!