Describe the bug I was trying to see how SwitchUserFilter works. I started a Spring Boot 3.1.3 demo project. I tried to do the necessary configuration as explained here https://blog.marcosbarbero.com/user-impersonation-with-spring-security/
However, using SwitchUserFilter.setSwitchUserUrl("/impersonate") will keep /impersonate endpoint hidden. A 403 http status will be returned upon trying to either get or post to it. However, using SwicthUserFilter.setSwitchUserMatcher(antMatcher("/impersonate")) I was able to send a get request to that endpoint and impersonate the user I was trying to impersonate.
Comment From: sjohnr
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.
Comment From: bibiki
@sjohnr I was not trying to ask a question, actually. I think I was reporting a bug because the doc for SwitchUserFilter.setSwitchUserUrl(url) says that it is a shortcut for SwicthUserFilter.setSwitchUserMatcher(RequestMatcher).
If one is a shortcut of the other, I expect them to behave the same. And if they don't, I think that is a bug.
Here I created a repo with the code. https://github.com/bibiki/impersonation-demo
If you look at SpringSecurityConfiguration.java you will see a comment that explains the same issue.
I understand that if I specified that the doc is inaccurate, you would not have seen this as a question. Sorry that I did not specify that, too, in my initial report.
Thanks!
Comment From: sjohnr
Thanks for the sample. We can take another look.
Comment From: bibiki
sure. if need be for further clarification, I'd gladly provide it. I have added another two commits since I opened this issue, but the relevant code is still there.
Comment From: sjohnr
@bibiki, thanks for providing a sample! Unfortunately, the sample is not minimal and it's not possible for me to accurately assess the intent of the configuration since there are a number of concurrent experiments in the code, some of which are commented out or not used.
Having said that, it is clear that your use of setSwitchUserUrl() does not account for the fact that the /impersonate endpoint it creates requires a POST, not a GET. The 403 error you are receiving is likely due to a 404 error and the /error endpoint being protected, though I'm uncertain at this point. Regardless, this appears to be a configuration issue.
I think I was reporting a bug because the doc for SwitchUserFilter.setSwitchUserUrl(url) says that it is a shortcut for SwicthUserFilter.setSwitchUserMatcher(RequestMatcher).
It seems you're referring to the javadoc for setSwitchUserUrl. The javadoc is accurate because you can indeed provide a RequestMatcher which produces the same functionality. Your use of setSwitchUserMatcher uses a GET which is not the same.
I'm again going to close this issue. If you have further questions, please provide a link to a stackoverflow question and I would be happy to assist. If you still believe there's a bug, please simplify the sample so that I can assess the issue and/or provide guidance for the correct configuration.
Comment From: bibiki
@sjohnr the javadoc is NOT accurate.
First, the setSwitchUserUrl(String url) does not provide for a way to specify the http verb to use for exposing the url while setSwitchUserMatcher(RequestMatcher url) does.
Let us assume setSwitchUserUrl(String url) makes the reasonable assumption that we want to have a POST url for switching user. It still does not work. It simply does not expose either a GET or a POST endpoint for switching the url.
Please note that I am not reporting a bug for setSwitchUserMatcher(RequestMatcher url) working correctly. I am reporting a bug for setSwitchUserUrl(String url) not working correctly. Or rather, not working at all. In addition, its javadoc in the link you sent in your earlier message says that setSwitchUserUrl is a shortcut for setSwitchUserMatcher. There are two problems with that: 1. it does not work at all, whereas the method that it is supposed to be a shortcut for does work. 2. setSwitchUserUrl(String url) does not allow us to specify the http verb whereas setSwitchUserMatcher(RequestMatcher matcher) does. using setSwitchUserUrl() necessitates that we use another method to specify the http intended for the url. as such, it may not be a shortcut for setSwitchUserMatcher(). At best, setSwitchUserMatcher() may be a shortcut for setSwitchUserUrl(), but I digress here.
Here are a few questions that may help: How can I use setSwitchUserUrl(String url) and have a GET endpoint for switch user url? How can I use setSwitchUserUrl(String url) and have a POST endpoint for switch user url? And most importantly, why is setSwitchUserUrl(String url) doing nothing while its javadoc indicates that it is supposed to do something.
Note that in earlier versions of Spring Securit setSwitchUserUrl(String url) worked fine, as evidenced by https://blog.marcosbarbero.com/user-impersonation-with-spring-security/ Please note that I am not asking you to review the content of that link.
At any rate, thanks for your time spent looking at the issue. If you would like to have quicker communication and you have some kind of slack or something where I can join and explain myself clearer, let me know and I'll join.
Comment From: sjohnr
Hi @bibiki,
Let us assume setSwitchUserUrl(String url) makes the reasonable assumption that we want to have a POST url for switching user.
In fact, this is precisely what it does do.
How can I use setSwitchUserUrl(String url) and have a GET endpoint for switch user url?
You cannot, since this method creates a RequestMatcher that matches on a POST.
How can I use setSwitchUserUrl(String url) and have a POST endpoint for switch user url?
This is what it does do.
It still does not work.
Please note that I am not reporting a bug for setSwitchUserMatcher(RequestMatcher url) working correctly. I am reporting a bug for setSwitchUserUrl(String url) not working correctly. Or rather, not working at all.
Your HTML page for switching sends a GET request, which will not work with setSwitchUserUrl(String) for the reason mentioned above. You need to send a POST. Further, your page does not send a CSRF token with the request, which it would also need to do. Please keep in mind that switching users should benefit from CSRF protection, which is one reason why it defaults to (and should probably remain) POST.
I appreciate that you feel strongly that you've found a bug. However, I have reviewed your sample and further verified the SwitchUserFilter on my own. I have full confidence that it is working as I explained. My original request to take this to stackoverflow remains relevant, please consider taking further questions there.
Comment From: bibiki
Alright @sjohnr Thanks for your time.