Spring security pre-authentication for development mode

Question

While developing an application it's quite useful to be able to quickly login as different users, with different roles, to see how the application presents itself.

Typing usernames and entering password is no fun, and a waste of time. What I'd like to do is:

• add a page/panel with a list of available usernames;
• clicking on a username will generate an event for Spring security which allows it to recognize the user as authenticated, without entering passwords;
• after clicking the link I am authenticated as the specified user.

N.B.: Passwords are hashed and submitted in plain-text using forms, so encoding the passwords in the links is not an option.

Obviously this feature will only be present at development time.

How can I achieve this?

Answer 1

As I understand you would like to have the SpringSecurity authenticate you automatically if some specific URL is requested (and you would have a link to this URL in your panel/page).

How about writing a custom filter:

public class YourSpecialDevelopmentTimeFilter 
extends AuthenticationProcessingFilter 
implements SyncSecurityFilter
....

that would override:

protected boolean requiresAuthentication(
     HttpServletRequest request, HttpServletResponse response)

and return true depending on some parameters in the request?

Of course another concern is not to have this functionality in the production environments. That is always a risky thing to have different code-base for dev and prod.

Answer 2

Use InMemoryDaoImpl for development mode. It is very easy to create users and passwords stored in memory:

<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
  <property name="userMap">
    <value>
      admin=admin,ROLE_ADMIN,ROLE_USER
      user1=user1,ROLE_USER
      user2=user2,ROLE_USER
    </value>
  </property>
</bean>

In development mode inject this to your authentication provider. In production replace it with the proper DB or LDAP implementation.