Return-Path: 
 <jsecurity-user-return-130-apmail-incubator-jsecurity-user-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-jsecurity-user-archive@locus.apache.org
Received: (qmail 47787 invoked from network); 15 Dec 2008 14:18:55 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 15 Dec 2008 14:18:55 -0000
Received: (qmail 76627 invoked by uid 500); 15 Dec 2008 14:19:08 -0000
Delivered-To: apmail-incubator-jsecurity-user-archive@incubator.apache.org
Received: (qmail 76611 invoked by uid 500); 15 Dec 2008 14:19:07 -0000
Mailing-List: contact jsecurity-user-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:jsecurity-user-help@incubator.apache.org>
List-Unsubscribe: <mailto:jsecurity-user-unsubscribe@incubator.apache.org>
List-Post: <mailto:jsecurity-user@incubator.apache.org>
List-Id: <jsecurity-user.incubator.apache.org>
Reply-To: jsecurity-user@incubator.apache.org
Delivered-To: mailing list jsecurity-user@incubator.apache.org
Received: (qmail 76602 invoked by uid 99); 15 Dec 2008 14:19:07 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Dec 2008 06:19:07 -0800
X-ASF-Spam-Status: No, hits=-1.0 required=10.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of jhaile@fastmail.fm designates
 66.111.4.25 as permitted sender)
Received: from [66.111.4.25] (HELO out1.smtp.messagingengine.com)
 (66.111.4.25)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Dec 2008 14:18:53 +0000
Received: from compute1.internal (compute1.internal [10.202.2.41])
	by out1.messagingengine.com (Postfix) with ESMTP id 2021E1E77EC
	for <jsecurity-user@incubator.apache.org>;
 Mon, 15 Dec 2008 09:18:29 -0500 (EST)
Received: from heartbeat1.messagingengine.com ([10.202.2.160])
  by compute1.internal (MEProxy); Mon, 15 Dec 2008 09:18:29 -0500
X-Sasl-enc: o4b5sz610MVgoDkhLP9JxDg1Ib4gOtwHHu7EH2DyhdHT 1229350708
Received: from [172.16.2.239] (unknown [74.7.6.178])
	by mail.messagingengine.com (Postfix) with ESMTPSA id 969DE10B84
	for <jsecurity-user@incubator.apache.org>;
 Mon, 15 Dec 2008 09:18:28 -0500 (EST)
Message-Id: <0D1344AA-479E-4A27-B8F7-24F732C456DE@fastmail.fm>
From: Jeremy Haile <jhaile@fastmail.fm>
To: jsecurity-user@incubator.apache.org
In-Reply-To: <181042e30812150157v4575d2f7h584707fb77c88bf5@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: super user
Date: Mon, 15 Dec 2008 09:18:30 -0500
References: <181042e30812150157v4575d2f7h584707fb77c88bf5@mail.gmail.com>
X-Mailer: Apple Mail (2.929.2)
X-Virus-Checked: Checked by ClamAV on apache.org

Animesh,

You can definitely support super user authentication with JSecurity -  
we do this in our application.  The way we do it is by having our  
realm accept multiple types of tokens - a regular  
UsernamePasswordToken and also a SuperUserToken.  The SuperUserToken  
contains an additional field called "runAsUser".  (in other words, it  
has a username, password, and a "run as username" property)

The realm will then authenticate the normal username and password, but  
return back the principal of the "run as user".  Since our realm  
extends from AuthorizingRealm, it simply returns an instance of  
SimpleAuthenticationInfo that contains the principal of the "run as  
user" but the credentials of the user who is authenticating.

Since this is potentially a very dangerous feature, we only enable it  
for accounts that have the admin flag set on them and ensure that the  
password for this account is very secure, limited, and changed on a  
regular basis.  This functionality is also only available from a  
secret URL that we don't link to in any way.

Here's an excerpt code snippet from our codebase:

User user = userManager.getActiveUserByEmail( organizationId,  
token.getUsername());
if( user == null ) {
     throw new UnknownAccountException( "No user account found for ["  
+ token.getUsername() + "] for org ID [" + organizationId + "]" );
}

  if( token instanceof SuperUserToken ) {
             if( !user.isAdmin() ) {
                 final String message = "Attempt to login as superuser  
by non-admin account: [" + token.getUsername() + "]";
                 log.error(message);
                 throw new UnauthorizedException( message );
             }

             Contact runAsContact =  
contactManager 
.getContactByEmail( ((SuperUserToken)token).getRunAsEmail() );
             if( runAsContact == null ) {
                 throw new UnknownAccountException( "No user found  
with email [" + ((SuperUserToken)token).getRunAsEmail() + "]" );
             }
             UserPrincipal runAsPrincipal = new  
UserPrincipal(runAsContact.getUser().getId(), runAsContact.getId());
             return new SimpleAuthenticationInfo( runAsPrincipal,  
user.getEncryptedPassword(), getName() );

  } else {
  // Do regular authentication here...
}

Let me know if you have any questions or problems with this approach.

Jeremy Haile



On Dec 15, 2008, at 4:57 AM, Animesh Jain wrote:

> Hi
>
> Is there some way to create a super user sort of entity which can  
> authenticate itself as any subject it wants. It probably is not  
> desired to have such functionality but I'm wondering if there's some  
> way to achieve that if needed.
>
> Kind regards
> Animesh