Re: [grails-user] JSecurity- Logging in a user without knowing the users password

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [grails-user] JSecurity- Logging in a user without knowing the users password

pledbrook
> Daniel, did you succeed? What did you do?
>
> Peter, I hope your offer is valid for me, too? ;-)

Sure :) But...

> From the aforementioned mail discussion, I liked Les' approach with
> the wrapper for the Subject interface.
> To cut it short: You store a second principal in the session and if
> that is set, return it instead of the original one.
>
> I think this code snippet should already do the trick:
>
> class AssumingDelegatingSubject extends DelegatingSubject {
>    public Object getPrincipal() {
>        return this.session?.assumedIdentity ?: super.getPrincipal()
>    }
> }
>
> After looking through JSecurity API and plugin code for quite a while
> now, I still have no Idea where to put this little class and what else
> to change, so that it will be picked up and used instead of the
> default class (I think that's DelegatingSubject).

I don't know, sorry. So, I'm cc'ing this to the JSecurity users list
and from any answer we get from there, I should be able to work out
how to do it with the plugin.

Cheers,

Peter
Reply | Threaded
Open this post in threaded view
|

Re: [grails-user] JSecurity- Logging in a user without knowing the users password

Les Hazlewood-2
I posted the answer on the Grails user list directly, but for those on
this list who also might be interested:

Yep, the DelegatingSubject just delegates its calls to the
SecurityManager under the hood.  You would need to create a subclass
of DelegatingSubject that checks the assumed identity before calling
super, exactly as you have outlined.

The SecurityManager implementation would need to be subclassed to
return instances of your custom DelegatingSubject subclass.  You do
that by overridding this overloaded method:

http://www.jsecurity.org/api/org/jsecurity/mgt/DefaultSecurityManager.html#createSubject(org.jsecurity.subject.PrincipalCollection,%20org.jsecurity.session.Session,%20boolean,%20java.net.InetAddress)

Your overridden method would return an instance of your custom
DelegatingSubject subclass.

I hope that helps, and sorry for the confusion - this will be built in
to the next version of JSecurity as a core feature so you won't need
to worry about subclassing or anything else like that.

Regards,

Les

On Mon, Jan 12, 2009 at 10:45 AM, Peter Ledbrook <[hidden email]> wrote:

>> Daniel, did you succeed? What did you do?
>>
>> Peter, I hope your offer is valid for me, too? ;-)
>
> Sure :) But...
>
>> From the aforementioned mail discussion, I liked Les' approach with
>> the wrapper for the Subject interface.
>> To cut it short: You store a second principal in the session and if
>> that is set, return it instead of the original one.
>>
>> I think this code snippet should already do the trick:
>>
>> class AssumingDelegatingSubject extends DelegatingSubject {
>>    public Object getPrincipal() {
>>        return this.session?.assumedIdentity ?: super.getPrincipal()
>>    }
>> }
>>
>> After looking through JSecurity API and plugin code for quite a while
>> now, I still have no Idea where to put this little class and what else
>> to change, so that it will be picked up and used instead of the
>> default class (I think that's DelegatingSubject).
>
> I don't know, sorry. So, I'm cc'ing this to the JSecurity users list
> and from any answer we get from there, I should be able to work out
> how to do it with the plugin.
>
> Cheers,
>
> Peter
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>
>