views:

107

answers:

3

We have a requirement, wherein the administrative user needs to proxy in as a certain user in an environment where several users (Role: User) are managed by an administrator (Role: Admin).

e.g If we have the following users in the database (admin, user1, user2, user3), we would want the admin to proxy as 'user2' and use the system in certain scenarios. Authentication in our web application is based username / password credentials, what mechanisms are available for the admin to proxy as 'user2' when he doesn't have the password for 'user2'. How can the application track such access for audit purposes to mention that 'admin' had proxied for 'user2' and performed certain actions.

I am looking for suggestions on supporting this in our j2ee (jboss seam) web application.

+2  A: 

You could implement a custom authentication method, which first checks user_name/user_pw if this fails check user_name/admin_pw so using the admins password would allow to login as any user.

15.3.2. Writing an authentication method

stacker
I don't store the admin_pw in clear text, it is present as a MD5 hash so I won't be able to make the user_name/admin_pw check.
Samuel
Then you still could calculate the MD5 from the given password before doing the lookup.
stacker
A: 

The way I go about doing this usually involves keeping two identities around, I call them the logical and physical. The logical identity is used for authorization checks, the physical is the actual identity (the user sitting behind the keyboard). In normal scenarios the logical identity = physical identity, but to allow a user (usually an admin) to "act as" another user, you can then change the logical identity to that of the target user. This way the application behaves according to the logical user, but you always keep track of who is actually sitting behind the computer with the physical user. Hope that helps.

jtougas
+1  A: 

You can create a custom registerAdminAsUser() method.

@Name("authenticationProxy")
public class AuthenticationProxy {

    private @In org.jboss.seam.security.Identity identity;

    /**
      * Starting with Seam 2.1+, you should use Credentials instead of Identity
      * To collect your username and password
      *
      * Your JSF Form should looks like
      *
      * <h:inputText value="#{credentials.username}"/>
      * <h:inputSecret value="#{credentials.password}"/>
      */
    private @In org.jboss.seam.security.Credentials credentials;

    public String registerAdminAsUser2() {

        identity.getCredentials().setUsername("user2");

        /**
          * Here you should provide any role which should be assigned to User2
          */
        identity.addRole("<A_ROLE>");
        identity.addRole("<OTHER_ROLE>");
        identity.addRole("<ANOTHER_ROLE>");

        /**
          * Do not call login method because it will call authenticate one
          * You do not have User2 password
          */
        // identity.login();

        return "loggedIn";
    }

    /**
      * Be aware you may need a unregisterAdminAsUser2
      */

}

And to enable your proxy, create a commandButton

<h:commandButton value="register Admin as User2" value="#{authenticationProxy.registerAdminAsUser2}" rendered="#{credentials.username == 'admin'}"/>

To use some JSF component, do as follows

<h:commandLink rendered="#{s:hasRole('<ANY_ROLE_ASSIGNED_TO_USER2_GOES_HERE>')}"/>

I hope it can be useful to you!

Arthur Ronald F D Garcia
Thanks. We are trying to mimic logging in as user2 here, would it be possible to add user2 specific roles to this new identity. If so, we don't need any rendered checks which does something for 'user2'.
Samuel
Would 'proxiedByAdmin' be a dummy password or the real password of the admin?
Samuel
@Samuel Would it be possible to add user2 specific roles to this new identity ??? Yes I will update the answer
Arthur Ronald F D Garcia