I find the recommended way to do this in Spring. Security is domain access control lists, see GrantedAuthoritySid @
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/domain-acls.html
However, impersonating another user is more than just having a โdelegate idโ, you should also consider the consequences of registering:
- You want your logging to display as "Original User" or "Advanced User" (or both?).
- Do you want the "impersonation" to show only what the user-personal user sees, or a subset of the permissions of the Original user and the personified user?
Another possibility is to create a "log in" function, which will significantly change the main identifier of the current session - or start a new session with the personified identifier.
In all of the above, you can inadvertently open up a security problem - which is why I believe that this is why functions with a personalized style are not the usual place. Rather, it is developing a trend towards role-based access control (RBAC) or attribute-based access control (ABAC). Using RBAC / ABAC, you can create a delegate style function where you create delegate attributes / roles, and in special cases when you need to show the source / purpose of delegation (for example, for audit logs), you treat them as corner cases.
Al baker
source share