Enhance customer support using the SwitchUser feature of Spring Security

Within the Java community the Spring Security Framework (aka Acegi Security) is used widely. Although the configuration is very hard to learn, once you get the hang of it, it is a very powerful and flexible security mechanism. It helps securing your web application, but can it help you to provide extra functionality for Customer Support? The answer is YES!

A lot off calls coming in to a Customer Support department are about pages not showing, menu items not visible, error occuring etc. The problem is always to be able to reproduce these errors, especially, because they are very often related to the user data and priviliges.

So ultimately, we would like to see what the user is seeing and experiencing. With Acegi, this is possible, using the switch user filter.

To be able to use it the following configuration can be used:

1. Configure the filter chain to use the SwitchUserProcessingFilter:

 !– ======================== FILTER CHAIN ======================= –>


	
		CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		PATTERN_TYPE_APACHE_ANT
		/images/**=#NONE#
		/scripts/**=#NONE#
		/styles/**=#NONE#
	/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter
	


Important is to place the switchUserProcessingFilter after the filterInvocationInterceptor, because otherwise every user will be able to switch roles. After execution of the filterInvocationInterceptor the roles are applied to the url’s to accept or deny access.

2. Now define the bean for the SwitchUserProcessingFilter, where you can configure which url you want to respond to and which url you want to use to switch back to yourself (the exitUserUrl).



/helpdesk_switch_user
/helpdesk_exit
/index.action

3. To make sure the url you configured to enable the switch user functionality is only accessible to the customer services accounts, assign a role to that URL in the filterInvocationFilter.

 


  
  
  
	
		 PATTERN_TYPE_APACHE_ANT
		 ...
		 ...
		/helpdesk_switch_user*=ROLE_HELPDESK
	
  

4. You can create a page for customer support that list all users, or a search page to find a user and create a link to login as that user. You can do this as follows:  http://localhost:8080/helpdesk_switch_user?j_username=abraham.lincoln. After the switch, there is a value in the SecurityContext contains the original user. This value is named SWITCH_USER_GRANTED_AUTHORITY and is accessible using the SecurityContextHolder.

Once this value is available you want to add a link to the menu to be able to get back to the customer services user, using the configured exit url.

This is all you need to do. Off course you need to be sure the role is only assigned to people you want to be able to login as other users. At least Acegi Security enables you to easily add functionality that can help you Customer Service department understand the user’s issue and create a better report to the developer describing the steps to reproduce the issue. So in the end you win back the investment of adding this functionality.

 

 

3 thoughts on “Enhance customer support using the SwitchUser feature of Spring Security

  1. One important thing I failed to mention is that this feature should be used carefully. Since you are actually changing to the users context, every action has effect on the customer. So it is best to check for the SWITCH_USER_GRANTED_AUTHORITY value and only give read and reporting access unless you are really sure nothing can and will be ruined.
    Also a very clear instruction to the customer service department will help to prevent issues with your customers data.

    Note also that in version 1.0.7 the SWITCH_USER_GRANTED_AUTHORITY variable is renamed.

Leave a Comment


*