Enhance customer support using the SwitchUser feature of Spring Security

Within the Java com­mu­nity the Spring Secu­rity Frame­work (aka Acegi Secu­rity) is used widely. Although the con­fig­u­ra­tion is very hard to learn, once you get the hang of it, it is a very pow­er­ful and flex­i­ble secu­rity mech­a­nism. It helps secur­ing your web appli­ca­tion, but can it help you to pro­vide extra func­tion­al­ity for Cus­tomer Sup­port? The answer is YES!

A lot off calls com­ing in to a Cus­tomer Sup­port depart­ment are about pages not show­ing, menu items not vis­i­ble, error occur­ing etc. The prob­lem is always to be able to repro­duce these errors, espe­cially, because they are very often related to the user data and priviliges.

So ulti­mately, we would like to see what the user is see­ing and expe­ri­enc­ing. With Acegi, this is pos­si­ble, using the switch user filter.

To be able to use it the fol­low­ing con­fig­u­ra­tion can be used:

1. Con­fig­ure the fil­ter chain to use the SwitchUserProcessingFilter:

 !– ======================== FILTER CHAIN ======================= –>


Impor­tant is to place the switchUser­Pro­cess­ing­Fil­ter after the fil­ter­In­vo­ca­tion­In­ter­cep­tor, because oth­er­wise every user will be able to switch roles. After exe­cu­tion of the fil­ter­In­vo­ca­tion­In­ter­cep­tor the roles are applied to the url’s to accept or deny access.

2. Now define the bean for the SwitchUser­Pro­cess­ing­Fil­ter, where you can con­fig­ure which url you want to respond to and which url you want to use to switch back to your­self (the exitUserUrl).


3. To make sure the url you con­fig­ured to enable the switch user func­tion­al­ity is only acces­si­ble to the cus­tomer ser­vices accounts, assign a role to that URL in the filterInvocationFilter.



4. You can cre­ate a page for cus­tomer sup­port that list all users, or a search page to find a user and cre­ate a link to login as that user. You can do this as fol­lows:  http://localhost:8080/helpdesk_switch_user?j_username=abraham.lincoln. After the switch, there is a value in the Secu­ri­ty­Con­text con­tains the orig­i­nal user. This value is named SWITCH_USER_GRANTED_AUTHORITY and is acces­si­ble using the SecurityContextHolder.

Once this value is avail­able you want to add a link to the menu to be able to get back to the cus­tomer ser­vices user, using the con­fig­ured exit url.

This is all you need to do. Off course you need to be sure the role is only assigned to peo­ple you want to be able to login as other users. At least Acegi Secu­rity enables you to eas­ily add func­tion­al­ity that can help you Cus­tomer Ser­vice depart­ment under­stand the user’s issue and cre­ate a bet­ter report to the devel­oper describ­ing the steps to repro­duce the issue. So in the end you win back the invest­ment of adding this functionality.



3 thoughts on “Enhance customer support using the SwitchUser feature of Spring Security

  1. One impor­tant thing I failed to men­tion is that this fea­ture should be used care­fully. Since you are actu­ally chang­ing to the users con­text, every action has effect on the cus­tomer. So it is best to check for the SWITCH_USER_GRANTED_AUTHORITY value and only give read and report­ing access unless you are really sure noth­ing can and will be ruined.
    Also a very clear instruc­tion to the cus­tomer ser­vice depart­ment will help to pre­vent issues with your cus­tomers data.

    Note also that in ver­sion 1.0.7 the SWITCH_USER_GRANTED_AUTHORITY vari­able is renamed.

Leave a Comment