Home/ Questions/Q 8749297
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T12:40:17+00:00

I have a <password-encoder> and CustomDetailService refered in AuthenticationManager. I added the following bean

  • 0

I have a <password-encoder> and CustomDetailService refered in AuthenticationManager. I added the following bean in spring-security after all the other security filters (concurrency, customLogoutFilter, etc.,) and <http auto-config="false" ..>:

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org
      /2001/XMLSchema-instance"
xsi:schemaLocation="
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<!-- Disable annotation-based method security -->
<global-method-security secured-annotations="disabled" />

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

<!-- Service that provides user credentials for use by the authentication provider -->
<beans:bean id="customDetailService" class="xxx.security.CustomDetailService" />

<!-- Assign the user details service to the default authentication provider -->
<beans:bean class="xxx.security.XyzPasswordEncoder" id="passwordEncoder" />

<!-- Get an alias to the default authentication manager -->
<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="customDetailService">
        <password-encoder ref="passwordEncoder" />
    </authentication-provider>
</authentication-manager>

<!-- Register an exception filter that takes an entry point -->
<beans:bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <beans:property name="accessDeniedHandler" ref="accessDeniedHandler" />
</beans:bean>
<beans:bean id="authenticationEntryPoint"
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:property name="loginFormUrl" value="/public/auth/login.htmlx" />
</beans:bean>
<beans:bean id="accessDeniedHandler"
    class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    <beans:property name="errorPage" value="/error/access-denied.jsp" />
</beans:bean>

<!-- Register a custom authentication filter and register success/failure 
    handlers -->
<beans:bean id="customAuthenticationFilter"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="sessionAuthenticationStrategy"
        ref="concurrentSessionControlStrategy" />
    <beans:property name="authenticationSuccessHandler"
        ref="loginSuccessHandler" />
    <beans:property name="authenticationFailureHandler"
        ref="loginFailureHandler" />
</beans:bean>

<beans:bean id="concurrentSessionControlStrategy"
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:constructor-arg name="sessionRegistry"
        ref="sessionRegistry" />
</beans:bean>
<beans:bean id="loginSuccessHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/LoginSuccess" />
</beans:bean>
<beans:bean id="loginFailureHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/LoginFailed" />
</beans:bean>

<!-- Register a custom logout filter -->
<beans:bean id="customLogoutFilter" class="xxx.security.LogoutFilterWrapper">
    <beans:property name="logoutSuccessfulUrl" value="/public/auth/login.htmlx" />
    <beans:property name="logoutSuccessfulUrlAdmin" value="/public/auth/admlogin.htmlx" />
    <beans:property name="logoutSuccessfulUrlInactivity"
        value="/public/auth/timedout.htmlx" />
</beans:bean>

<!-- Register a concurrent session filter. This will limit the number of 
    sessions a user can have -->
<beans:bean id="concurrencyFilter"
    class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <beans:property name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="expiredUrl"
        value="/public/error/multi-login-not-supported.htmlx" />
</beans:bean>

<!-- Register a filter to log in as a different user -->    
<beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
    <beans:property name="userDetailsService" ref="customDetailService" />
    <beans:property name="switchUserUrl" value="/j_spring_security_switch_user" />
    <beans:property name="exitUserUrl" value="/j_spring_security_exit_user" />
    <beans:property name="targetUrl" value="/" />
</beans:bean>


<http auto-config="false" entry-point-ref="authenticationEntryPoint">

    <custom-filter position="FORM_LOGIN_FILTER" ref="customAuthenticationFilter" />
    <custom-filter position="LOGOUT_FILTER" ref="customLogoutFilter" />
    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />

            <session-management session-fixation-protection="none" />

    <!-- Configure the filter security interceptor. URL patterns default to 
        Apache Ant path syntax -->
    <intercept-url pattern="/**/xyz_product*" access="ROLE_XYZ_PRODUCT" />
    <intercept-url pattern="/root/user/index.htmlx" access="ROLE_XYZ_PRODUCT" />

    <!-- Allow unrestrictricted access to assets -->
    <intercept-url pattern="/assets/**" filters="none" />

    <!-- Allow unrestrictricted access to public areas -->
    <intercept-url pattern="/public/**" filters="none" />

    <!-- Allow unrestrictricted access to generated resources -->
    <intercept-url pattern="/faces/**" filters="none" />

    <!-- Enforce role-based access for login success servlet -->
    <intercept-url pattern="/LoginSuccess"
        access="ROLE_RESTRICTED,ROLE_ADMIN,ROLE_ADMIN_APP,ROLE_PHYSICIAN,ROLE_NURSE" />

    <!-- Enforce role-based access for user area -->
    <intercept-url pattern="/root/user/**" access="ROLE_PHYSICIAN,ROLE_NURSE" />

    <!-- Enforce role-based access for admin area -->
    <intercept-url pattern="/root/admin/*" access="ROLE_ADMIN,ROLE_ADMIN_APP" />

    <intercept-url pattern="/root/admin/user/**" access="ROLE_ADMIN,ROLE_ADMIN_APP" />


    // ommitted ...

     </http>

    </beans:beans>

Here’s my facelets page:

<h:form>
    <h:inputText id="j_username" value="" styleClass="textInput" size="50"/>    
    <p>Click <h:commandLink value="here" action="/j_spring_security_switch_user"/> to switch to 
        user </p>
</h:form>

Error in the logs:

org.springframework.security.web.access.intercept.FilterSecurityInterceptor
– RunAsManager did not change Authentication object

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I was able to fix this. The problem was with my jsf page not sending j_username to SwitchUserFilter when I bind the jsf action to ‘/j_spring_security_switch_user’. However, a passthrough through a controller binding works.

    I blogged my experience here:

    http://www.reverttoconsole.com/blog/spring/switch-user-su-like-behavior-in-spring/

    • 0