SEC-374: Allow GrantedAuthority[]s assigned to switched user identity to be filtered.

19 years ago · 775840a565
2 changed files with 44 additions and 0 deletions
--- a/core/src/main/java/org/acegisecurity/ui/switchuser/SwitchUserAuthorityChanger.java
+++ b/core/src/main/java/org/acegisecurity/ui/switchuser/SwitchUserAuthorityChanger.java
@ -0,0 +1,30 @@
				@@ -0,0 +1,30 @@
+package org.acegisecurity.ui.switchuser;
+
+import java.util.List;
+
+import org.acegisecurity.Authentication;
+import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.userdetails.UserDetails;
+
+/**
+ * Allows subclasses to modify the {@link GrantedAuthority} list that will be assigned to the principal
+ * when they assume the identity of a different principal.
+ * 
+ * <p>Configured against the {@link SwitchUserProcessingFilter}.
+ * 
+ * @author Ben Alex
+ * @version $Id$
+ *
+ */
+public interface SwitchUserAuthorityChanger {
+    
+    /**
+     * Allow subclasses to add or remove authorities that will be granted when in switch user mode.
+     * 
+     * @param targetUser the UserDetails representing the identity being switched to
+     * @param currentAuthentication the current Authentication of the principal performing the switching
+     * @param authoritiesToBeGranted all {@link GrantedAuthority} instances to be granted to the user,
+     * excluding the special "switch user" authority that is used internally (guaranteed never null)
+     */
+    public void modifyGrantedAuthorities(UserDetails targetUser, Authentication currentAuthentication, List authoritiesToBeGranted);
+}
--- a/core/src/main/java/org/acegisecurity/ui/switchuser/SwitchUserProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/ui/switchuser/SwitchUserProcessingFilter.java
@ -115,6 +115,7 @@ public class SwitchUserProcessingFilter implements Filter, InitializingBean, App
				@@ -115,6 +115,7 @@ public class SwitchUserProcessingFilter implements Filter, InitializingBean, App
    private String exitUserUrl = "/j_acegi_exit_user";
    private String switchUserUrl = "/j_acegi_switch_user";
    private String targetUrl;
+    private SwitchUserAuthorityChanger switchUserAuthorityChanger;

    // ~ Instance fields
    // ========================================================
@ -277,6 +278,11 @@ public class SwitchUserProcessingFilter implements Filter, InitializingBean, App
				@@ -277,6 +278,11 @@ public class SwitchUserProcessingFilter implements Filter, InitializingBean, App
        // get the original authorities
        List orig = Arrays.asList(targetUser.getAuthorities());

+        // Allow subclasses to change the authorities to be granted
+        if (switchUserAuthorityChanger != null) {
+        	switchUserAuthorityChanger.modifyGrantedAuthorities(targetUser, currentAuth, orig);
+        }
+        
        // add the new switch user authority
        List newAuths = new ArrayList(orig);
        newAuths.add(switchAuthority);
@ -460,4 +466,12 @@ public class SwitchUserProcessingFilter implements Filter, InitializingBean, App
				@@ -460,4 +466,12 @@ public class SwitchUserProcessingFilter implements Filter, InitializingBean, App

        return uri;
    }
+
+    /**
+     * @param switchUserAuthorityChanger to use to fine-tune the authorities granted to subclasses (may be null if
+     * SwitchUserProcessingFilter shoudl not fine-tune the authorities)
+     */
+	public void setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger) {
+		this.switchUserAuthorityChanger = switchUserAuthorityChanger;
+	}
 }