/** * Change le rôle de l'utilisateur courant * * @param username * le nom de l'utilisateur a prendre */ public void switchToUser(String username) { Assert.hasText(username, applicationContext.getMessage("assert.hasText", null, UI.getCurrent().getLocale())); /* Vérifie que l'utilisateur existe */ try { UserDetails details = userDetailsService.loadUserByUsername(username); if (details == null || details.getAuthorities() == null || details.getAuthorities().size() == 0) { Notification.show(applicationContext.getMessage("admin.switchUser.usernameNotFound", new Object[] { username }, UI.getCurrent().getLocale()), Notification.Type.WARNING_MESSAGE); return; } } catch (UsernameNotFoundException unfe) { Notification.show(applicationContext.getMessage("admin.switchUser.usernameNotFound", new Object[] { username }, UI.getCurrent().getLocale()), Notification.Type.WARNING_MESSAGE); return; } String switchToUserUrl = MethodUtils.formatSecurityPath(loadBalancingController.getApplicationPath(false), ConstanteUtils.SECURITY_SWITCH_PATH) + "?" + SwitchUserFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY + "=" + username; Page.getCurrent().open(switchToUserUrl, null); }
/** * @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity) */ @Override protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling() .authenticationEntryPoint(casEntryPoint()) .and() .authorizeRequests() .antMatchers(ConstanteUtils.SECURITY_CONNECT_PATH+"/**").authenticated() .antMatchers("/**").permitAll() .antMatchers(ConstanteUtils.SECURITY_SWITCH_PATH).hasAuthority(NomenclatureUtils.DROIT_PROFIL_ADMIN) .antMatchers(ConstanteUtils.SECURITY_SWITCH_BACK_PATH).hasAuthority(SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR) .anyRequest().authenticated() .and() .addFilterBefore(singleSignOutFilter(), LogoutFilter.class) .addFilter(new LogoutFilter(casUrl + ConstanteUtils.SECURITY_LOGOUT_PATH, new SecurityContextLogoutHandler())) .addFilter(casAuthenticationFilter()) .addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class) /* La protection Spring Security contre le Cross Scripting Request Forgery est désactivée, Vaadin implémente sa propre protection */ .csrf().disable() .headers() /* Autorise l'affichage en iFrame */ .frameOptions().disable() /* Supprime la gestion du cache du navigateur, pour corriger le bug IE de chargement des polices cf. http://stackoverflow.com/questions/7748140/font-face-eot-not-loading-over-https */ .cacheControl().disable(); }
@Override protected void doConfigure(HttpSecurity http) throws Exception { http.authorizeRequests() // The order of the matchers matters .antMatchers(HttpMethod.OPTIONS, REST_API_URL_PREFIX + "/**") .permitAll() // The REST ping service is temporarily authenticated (see PIVOT-3149) .antMatchers(url(REST_API_URL_PREFIX, PING_SUFFIX)) .hasAnyAuthority(ROLE_USER, ROLE_TECH) // REST services .antMatchers(REST_API_URL_PREFIX + "/**") .hasAnyAuthority(ROLE_USER) // One has to be a user for all the other URLs .antMatchers("/**") .hasAuthority(ROLE_USER) .and() .httpBasic() // SwitchUserFilter is the last filter in the chain. See FilterComparator class. .and() .addFilterAfter(activePivotConfig.contextValueFilter(), SwitchUserFilter.class); }
/** * @return true si l'utilisateur a pris le rôle d'un autre utilisateur */ public boolean isUserSwitched() { Authentication auth = getCurrentAuthentication(); if (auth == null) { return false; } return auth.getAuthorities().stream().map(GrantedAuthority::getAuthority) .filter(Predicate.isEqual(SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR)).findAny().isPresent(); }
@Override protected void configure(HttpSecurity http) throws Exception { final String uiPrefix = "/ui/"; final String loginUrl = uiPrefix + "login.html"; TokenAuthFilterConfigurer<HttpSecurity> tokenFilterConfigurer = new TokenAuthFilterConfigurer<>(new RequestTokenHeaderRequestMatcher(), new TokenAuthProvider(tokenValidator, userDetailsService, authProcessor)); http.csrf().disable() .authenticationProvider(provider).userDetailsService(userDetailsService) .anonymous().principal(SecurityUtils.USER_ANONYMOUS).and() .authorizeRequests().antMatchers(uiPrefix + "/token/login").permitAll() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()//allow CORS option calls .antMatchers(uiPrefix + "**").authenticated() .and().headers().cacheControl().disable() .and().formLogin().loginPage(loginUrl).permitAll().defaultSuccessUrl(uiPrefix) .and().logout().logoutUrl(uiPrefix + "logout").logoutSuccessUrl(loginUrl) .and().apply(tokenFilterConfigurer); // enable after testing // .and().sessionManagement() // .sessionCreationPolicy(SessionCreationPolicy.STATELESS); // X-Frame-Options http.headers() .frameOptions().sameOrigin(); http.addFilterAfter(new AccessContextFilter(aclContextFactory), SwitchUserFilter.class); //we use basic in testing and scripts if (basicAuthEnable) { http.httpBasic(); } }
@Bean public SwitchUserFilter switchUserFilter(UserDetailsService userDetailsService) { SwitchUserFilter suFilter = new SwitchUserFilter(); suFilter.setUserDetailsService(userDetailsService); suFilter.setSuccessHandler((httpServletRequest, httpServletResponse, authentication) -> { String url = httpServletRequest.getHeader("referer"); if (url == null) { httpServletResponse.sendRedirect("/"); } else { httpServletResponse.sendRedirect(url); } }); return suFilter; }
