14 Switch User - Reference Documentation
Authors: Burt Beckwith, Beverley Talbott
Version: 2.0.0
14 Switch User
To enable a user to switch from the currentAuthentication to another user's, set the useSwitchUserFilter attribute to true. This feature is similar to the 'su' command in Unix. It enables, for example, an admin to act as a regular user to perform some actions, and then switch back.This feature is very powerful; it allows full access to everything the switched-to user can access without requiring the user's password. Limit who can use this feature by guarding the user switch URL with a role, for example,ROLE_SWITCH_USER,ROLE_ADMIN, and so on.
Switching to Another User
To switch to another user, typically you create a form that submits to/j_spring_security_switch_user:<sec:ifAllGranted roles='ROLE_SWITCH_USER'> <form action='/j_spring_security_switch_user' method='POST'>
Switch to user: <input type='text' name='j_username'/> <br/>
<input type='submit' value='Switch'/>
</form></sec:ifAllGranted>ROLE_SWITCH_USER and is not shown otherwise. You also need to guard the user switch URL, and the approach depends on your mapping scheme. If you use annotations, add a rule to the controllerAnnotations.staticRules attribute:grails.plugin.springsecurity.controllerAnnotations.staticRules = [
…
'/j_spring_security_switch_user':
['ROLE_SWITCH_USER', 'isFullyAuthenticated()']
]Requestmaps, create a rule like this (for example, in BootStrap):new Requestmap(url: '/j_spring_security_switch_user', configAttribute: 'ROLE_SWITCH_USER,isFullyAuthenticated()' ).save(flush: true)
Config.groovy map, add the rule there:grails.plugin.springsecurity.interceptUrlMap = [
…
'/j_spring_security_switch_user':
['ROLE_SWITCH_USER', 'isFullyAuthenticated()']
]Switching Back to Original User
To resume as the original user, navigate to/j_spring_security_exit_user.<sec:ifSwitched>
<a href='${request.contextPath}/j_spring_security_exit_user'>
Resume as <sec:switchedUserOriginalUsername/>
</a>
</sec:ifSwitched>Customizing URLs
You can customize the URLs that are used for this feature, although it is rarely necessary:grails.plugin.springsecurity.switchUser.switchUserUrl = … grails.plugin.springsecurity.switchUser.exitUserUrl = … grails.plugin.springsecurity.switchUser.targetUrl = … grails.plugin.springsecurity.switchUser.switchFailureUrl = ...
| Property | Default | Meaning |
|---|---|---|
| useSwitchUserFilter | false | Whether to use the switch user filter. |
| switchUser. switchUserUrl | '/j_spring_security_switch_user' | URL to access (via GET or POST) to switch to another user. |
| switchUser. exitUserUrl | '/j_spring_security_exit_user' | URL to access to switch to another user. |
| switchUser. targetUrl | Same as successHandler.defaultTargetUrl | URL for redirect after switching. |
| switchUser. switchFailureUrl | Same as failureHandler.defaultFailureUrl | URL for redirect after an error during an attempt to switch. |
| switchUser. usernameParameter | SwitchUserFilter. SPRING_SECURITY_SWITCH_USERNAME_KEY | The username request parameter name |
GSP Code
One approach to supporting the switch user feature is to add code to one or more of your GSP templates. In this example the current username is displayed, and if the user has switched from another (using thesec:ifSwitched tag) then a 'resume' link is displayed. If not, and the user has the required role, a form is displayed to allow input of the username to switch to:<sec:ifLoggedIn>
Logged in as <sec:username/>
</sec:ifLoggedIn><sec:ifSwitched>
<a href='${request.contextPath}/j_spring_security_exit_user'>
Resume as <sec:switchedUserOriginalUsername/>
</a>
</sec:ifSwitched><sec:ifNotSwitched>
<sec:ifAllGranted roles='ROLE_SWITCH_USER'> <form action='${request.contextPath}/j_spring_security_switch_user'
method='POST'>
Switch to user: <input type='text' name='j_username'/><br/>
<input type='submit' value='Switch'/>
</form> </sec:ifAllGranted>
</sec:ifNotSwitched>