CODEWITHSUNDEEP
springspring-security
saw303
saw303

Reputation: 9072

Spring Security 3.1 Run-As

I am trying to get the Run-As feature in Spring Security 3.1 to work. The strange thing is that I cannot find a single example. Even the Spring Security Book does not cover the topic at all.

Here is the security part of my application context.

<security:global-method-security
        pre-post-annotations="enabled">
    <security:expression-handler ref="customExpressionHandler"/>
</security:global-method-security>

<bean id="runAsManager"
      class="org.springframework.security.access.intercept.RunAsManagerImpl">
    <property name="key" value="my_run_as_password"/>
</bean>

<bean id="runAsAuthenticationProvider"
      class="org.springframework.security.access.intercept.RunAsImplAuthenticationProvider">
    <property name="key" value="my_run_as_password"/>
</bean>
<security:http auto-config="true" create-session="always">
    <security:remember-me key="njc2"/>
    <security:session-management invalid-session-url="/sessionTimeout.html"/>
    <security:intercept-url pattern="/**" access="ROLE_USER"/>
    <security:form-login login-page='/login.html'
                         authentication-success-handler-ref="njcAuthenticationSuccessHandler"
                         authentication-failure-url="/login-failure.html"/>
    <security:logout invalidate-session="true" logout-url="/j_spring_security_logout"
                     logout-success-url="/login.html"/>
</security:http>

At runtime Spring 'magically' creates an instance of org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor but does not wire my runAsManager and therefore uses the NullRunAsManager that is created by default.

Can you show me a valid Spring Security 3.1 example that demonstrates run as and using JSR-250 annotations such as @RunAs?

Upvotes: 8

Views: 2390

Answers (1)

Maciej Ziarko
Maciej Ziarko

Reputation: 12084

Actually you can use Spring Security XML namespace to set RunAsManager:

<sec:global-method-security run-as-manager-ref="runAsManager">
     <!-- Rest of your code -->
</sec:global-method-security>

I don't know of any out-of-box @RunAs integration. But I'm sure it's possible to implement that by yourself and integrate with Spring Security.

Upvotes: 3

Related Questions