Hi, We are using SwitchUserFilter to build the impersonate feature in our application, The login to impersonate feature works succesfully using the below SwitchUserFilter but once logged in log out of impersonate is breaking the application with the ONLY change from spring 2.2.6 to 2.3.1 in the pom.xml (no other code changes)
The below code works fine with Spring version 2.2.6 but when we just upgrade the version to 2.3.1 with no other code changes the application breaks. @Bean public SwitchUserFilter switchUserFilter()
By Enabling and Analyzing the spring framework log we can see that in version 2.2.6 where its working successfully the below gets printed Checking match of request : '/logout/impersonate'; against '/logout/impersonate' 2020-07-16T16:45:11,047Z 2020-07-16 16:45:11,047 DEBUG [http-nio-8000-exec-8] o.s.s.w.a.s.SwitchUserFilter [SwitchUserFilter.java:376] Found original switch user granted authority But the same code when build with spring 2.3.1 (pom.xml) with NO other code changes we see the above line printed is getting printed as shown below (where Found original switch user granted authority is not getting displayed) and the application getting redirected to error page, As said this changes is happening with the only change from spring2.2.5 to 2.3.1 in the pom.xml Checking match of request : '/logout/impersonate'; against '/logout/impersonate' 2020-07-16T16:33:59,085Z 2020-07-16 16:33:59,085 DEBUG [http-nio-8000-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor [AbstractSecurityInterceptor.java:219] Secure object: FilterInvocation: URL: /logout/impersonate; Attributes: [authenticated] Iam attaching the spring framework logs (working and non working) here for your quick reference.
Can you please help as this is blocking our spring upgrade changes.
Thanks, Ganeshan
Comment From: eleftherias
Thanks for getting in touch @ganeshan123.
Could you put together a minimal sample that reproduces this issue?
Comment From: ganeshan123
@eleftherias Thanks for your swift response,
Can you please let me know what kind of sample you are looking for as this is application related,
To Recap, When this exception happens the exception is happening in the spring security side itself and not reaching the application side, So I have attached both the version of the logs (working and notworking spring framework logs) which can help you to identify the conflicts and the root cause,
As mentioned in my earlier comments this exception is happening with the ONLY change from spring 2.2.6 to 2.3.1 version in the pom.xml without any other code changes.
Please let me know if you need more info.
Thanks, Ganeshan
Thanks, Ganeshan
Comment From: eleftherias
@ganeshan123 I'm looking for a sample that: 1) Is a runnable application 2) Reproduces the issue (redirects to the error page) 3) Has the least amount of code needed to reproduce the issue
It is ok if the sample uses Spring Boot, you do not need to use Spring Security on its own.
This will help me narrow down the root cause of the issue.
Comment From: samuelpdm
Hi! I had the same issue here and I realized that in the previous versions you could use HTTP method GET to perform an impersonate, now (at least maintaining everything like it was) you must send a POST with username:{value} as form-data on the request body.
Comment From: eleftherias
Thanks for bringing that up @samuelpdm.
@ganeshan123 The issue that @samuelpdm is referring to is gh-4183.
Take a look and let us know if that's what you're running into.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: ganeshan123
Apologize for the delay, The issue is resolved with the below change
Instead of using filter.setExitUserUrl("/logout/impersonate"); I changed this to RequestMatcher exitUserMatcher = createMatcher("/logout/impersonate"); filter.setExitUserMatcher(exitUserMatcher); and this worked out. But filter.setExitUserUrl("/logout/impersonate"); was working succesfully in the earlier spring version 2.2.6
Thanks for your help
Comment From: eleftherias
Glad you were able to fix it @ganeshan123!