Enhance customer support using the SwitchUser feature of Spring Security 3

Within the Java com­mu­nity the Spring Secu­rity Frame­work (aka Acegi Secu­rity) is used widely. Although the con­fig­u­ra­tion is very hard to learn, once you get the hang of it, it is a very pow­er­ful and flex­i­ble secu­rity mech­a­nism. It helps secur­ing your web appli­ca­tion, but can it help you to pro­vide extra func­tion­al­ity for Cus­tomer Sup­port? The answer is YES!

A lot off calls com­ing in to a Cus­tomer Sup­port depart­ment are about pages not show­ing, menu items not vis­i­ble, error occur­ing etc. The prob­lem is always to be able to repro­duce these errors, espe­cially, because they are very often related to the user data and priviliges.

So ulti­mately, we would like to see what the user is see­ing and expe­ri­enc­ing. With Acegi, this is pos­si­ble, using the switch user filter.

To be able to use it the fol­low­ing con­fig­u­ra­tion can be used:

1. Con­fig­ure the fil­ter chain to use the SwitchUserProcessingFilter:

< !– ======================== FILTER CHAIN ======================= –>


	
		CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		PATTERN_TYPE_APACHE_ANT
		/images/**=#NONE#
		/scripts/**=#NONE#
		/styles/**=#NONE#
	/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter
	


Impor­tant is to place the switchUser­Pro­cess­ing­Fil­ter after the fil­ter­In­vo­ca­tion­In­ter­cep­tor, because oth­er­wise every user will be able to switch roles. After exe­cu­tion of the fil­ter­In­vo­ca­tion­In­ter­cep­tor the roles are applied to the url’s to accept or deny access.

2. Now define the bean for the SwitchUser­Pro­cess­ing­Fil­ter, where you can con­fig­ure which url you want to respond to and which url you want to use to switch back to your­self (the exitUserUrl).



/helpdesk_switch_user
/helpdesk_exit
/index.action

3. To make sure the url you con­fig­ured to enable the switch user func­tion­al­ity is only acces­si­ble to the cus­tomer ser­vices accounts, assign a role to that URL in the filterInvocationFilter.

 


  
  
  
	
		 PATTERN_TYPE_APACHE_ANT
		 ...
		 ...
		/helpdesk_switch_user*=ROLE_HELPDESK
	
  

4. You can cre­ate a page for cus­tomer sup­port that list all users, or a search page to find a user and cre­ate a link to login as that user. You can do this as fol­lows:  http://localhost:8080/helpdesk_switch_user?j_username=abraham.lincoln. After the switch, there is a value in the Secu­ri­ty­Con­text con­tains the orig­i­nal user. This value is named SWITCH_USER_GRANTED_AUTHORITY and is acces­si­ble using the SecurityContextHolder.

Once this value is avail­able you want to add a link to the menu to be able to get back to the cus­tomer ser­vices user, using the con­fig­ured exit url.

This is all you need to do. Off course you need to be sure the role is only assigned to peo­ple you want to be able to login as other users. At least Acegi Secu­rity enables you to eas­ily add func­tion­al­ity that can help you Cus­tomer Ser­vice depart­ment under­stand the user’s issue and cre­ate a bet­ter report to the devel­oper describ­ing the steps to repro­duce the issue. So in the end you win back the invest­ment of adding this functionality.

 

 

3 thoughts on “Enhance customer support using the SwitchUser feature of Spring Security

  1. Reply Mike van Vendeloo Apr 20, 2008 20:01

    One impor­tant thing I failed to men­tion is that this fea­ture should be used care­fully. Since you are actu­ally chang­ing to the users con­text, every action has effect on the cus­tomer. So it is best to check for the SWITCH_USER_GRANTED_AUTHORITY value and only give read and report­ing access unless you are really sure noth­ing can and will be ruined.
    Also a very clear instruc­tion to the cus­tomer ser­vice depart­ment will help to pre­vent issues with your cus­tomers data.

    Note also that in ver­sion 1.0.7 the SWITCH_USER_GRANTED_AUTHORITY vari­able is renamed.

  2. Reply Thiago Sep 17, 2010 20:32

    Do you have a work­ing war file to share? I am not able to make it work.

    Thanks

Leave a Reply