We have multiple portals Employer-portal, Employee-portal and Admin-portal , All three portals are deployed separately. All portals follow spring-mvc pattern. And we used spring security and using openId for login and logout.
Now we want to give admin-portal feature that admin can impersonate as employee and employer and do things on their behalf.
Can any body with previous experience guide my how to work on it, or can share any good article which i can readout to get good knowledge over it.
Thanks,
From your question, it doesn't sound like you really want 'runAsManager'.
One way would be to use something like an 'impersonate' method, which itself would need to be secured of course, maybe using method level security annotations.
For that, you can use something like:
@PreAuthorize("hasRole('ROLE_ADMIN')")
Essentially, what you need to do is to build an authentication object and populate the Security Context (ThreadLocal) with that.
Something like:
Authentication other = createAuthentication(someUsername); //Implement this
SecurityContextHolder.getContext().setAuthentication(other);
I can see the appeal of this approach, but of course, whether or not it's a good idea depends on what you're allowing admins to do on the user's behalf. Spend their money? See their emails? If the use case is valid, at least audit this kind of operation.
Once impersonating another user like this, the current user will need to log out and log in again to switch back to their own account.