Shreshtt Bhatt Shreshtt Bhatt - 3 months ago 19
Java Question

Spring Impersonation SwitchUserFilter Not Working | Filter is not adding to spring security chain

SwitchUserFilter Hybris 5.7

I am trying to integrate impersonation functionality in Hybris 5.7. Here is the follow configuration i have done so far.

spring-security-config.xml

<security:http disable-url-rewriting="true" request-matcher-ref="excludeUrlRequestMatcher" use-expressions="true">

<!-- added customer filter to security chain -->
<security:custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />

</security:http>

<bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<property name="userDetailsService" ref="originalUidUserDetailsService" />
<property name="switchUserUrl" value="/j_spring_security_switch_user" />
<property name="exitUserUrl" value="/j_spring_security_exit_user" />
<property name="targetUrl" value="/" />
</bean>


Web.xml

<filter>
<filter-name>switchUserProcessingFilter</filter-name>
<filter-class>org.springframework.security.web.authentication.switchuser.SwitchUserFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>switchUserProcessingFilter</filter-name>
<url-pattern>/j_spring_security_switch_user</url-pattern>
</filter-mapping>


Now whenever I am login and trying to switch to another user say user@xyz.com, I am getting NullPointerException.

https://localhost:9002/store/j_spring_security_switch_user?j_username=user@xyz.com


Error :

java.lang.NullPointerException
at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.attemptSwitchUser(SwitchUserFilter.java:209)
at org.springframework.security.web.authentication.switchuser.SwitchUserFilter.doFilter(SwitchUserFilter.java:155)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.training.storefront.filters.AcceleratorAddOnFilter.doFilter(AcceleratorAddOnFilter.java:92)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at de.hybris.platform.servicelayer.web.XSSFilter.doFilter(XSSFilter.java:230)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)


I have tried to extend SwitchUserFilter and debug it. I found that
SecurityContextHolder.getContext().getAuthentication();
is giving null thats why request is failing.

I also have seen a very wired situation. I have extend
SwitchUserFilter
and add my own service to write custom code but i can't able to
@Autowire
it.

I also tried to set Authentication in session while login with user. but the same session attribute i can't find in my extended SwitchUserFilter.

In the above code I am adding filter to security filter chain as well.

<security:custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />


Seems SwitchUserFilter does't know anything what session is setting or authentication is saving. I don't understand why it is happening even though i have done the right configuration. I have checked other related questions as well but not able to fix it.

Please help me on this. Let me know if you want some more code to put.

Answer

The problem is my filter in not binding in Spring Security Chain so rather than using custom-filter mapping, I inject my filter directly to the filter chain.

spring-filter-config.xml

<alias name="defaultStorefrontTenantDefaultFilterChainList" alias="storefrontTenantDefaultFilterChainList" />
<util:list id="defaultStorefrontTenantDefaultFilterChainList">

// Other filter chain

   <ref bean="switchUserProcessingFilter"/> //Added my filter here
</util:list>

and simply added switchUserProcessingFilterin spring-security-config.xml

So there is no use to write filter-mapping in web.xml file and custom-filter in security-config.xml file.

Comments