The moose likes Security and the fly likes User impersonation using Filters/Cookies Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login
JavaRanch » Java Forums » Engineering » Security
Reply Bookmark "User impersonation using Filters/Cookies" Watch "User impersonation using Filters/Cookies" New topic
Author

User impersonation using Filters/Cookies

Brian Quinn
Ranch Hand

Joined: Dec 23, 2003
Posts: 32
posted private message
0
Quote
Building an application in Flex/Java that requires a super user to be able to impersonate another user. We did this by having a spring controller write a cookie with target user's id. Then app reloads. A filter is on the app that looks for cookie and build a principal off that user id if it finds the cookie, or it builds a prinicipal based on Cleartrust headers. It then sticks Principal on session and in a thread local so java service layer can find it. However we are seeing that as the app reloads, it starts with the intended impersonated user id, but then it changes over to the super user's id. I was wondering if there were some ideas better than the cookie/filter way to maybe implement this feature.
 
 
subject: User impersonation using Filters/Cookies
 
Threads others viewed
Set user principal in a filter
Hard-to-guess Cookie values
Accidental session hijacking...maybe caused by Session Bean?
ClassCastException when using NTLM Authentication with struts
confused about security constraints and loginning in
MyEclipse, The Clear Choice