(window.webpackJsonp=window.webpackJsonp||[]).push([[250],{676:function(e,t,n){"use strict";n.r(t);var a=n(56),o=Object(a.a)({},(function(){var e=this,t=e.$createElement,n=e._self._c||t;return n("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[n("h1",{attrs:{id:"run-as-authentication-replacement"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#run-as-authentication-replacement"}},[e._v("#")]),e._v(" Run-As Authentication Replacement")]),e._v(" "),n("h2",{attrs:{id:"overview"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#overview"}},[e._v("#")]),e._v(" Overview")]),e._v(" "),n("p",[e._v("The "),n("code",[e._v("AbstractSecurityInterceptor")]),e._v(" is able to temporarily replace the "),n("code",[e._v("Authentication")]),e._v(" object in the "),n("code",[e._v("SecurityContext")]),e._v(" and "),n("code",[e._v("SecurityContextHolder")]),e._v(" during the secure object callback phase.\nThis only occurs if the original "),n("code",[e._v("Authentication")]),e._v(" object was successfully processed by the "),n("code",[e._v("AuthenticationManager")]),e._v(" and "),n("code",[e._v("AccessDecisionManager")]),e._v(".\nThe "),n("code",[e._v("RunAsManager")]),e._v(" will indicate the replacement "),n("code",[e._v("Authentication")]),e._v(" object, if any, that should be used during the "),n("code",[e._v("SecurityInterceptorCallback")]),e._v(".")]),e._v(" "),n("p",[e._v("By temporarily replacing the "),n("code",[e._v("Authentication")]),e._v(" object during the secure object callback phase, the secured invocation will be able to call other objects which require different authentication and authorization credentials.\nIt will also be able to perform any internal security checks for specific "),n("code",[e._v("GrantedAuthority")]),e._v(" objects.\nBecause Spring Security provides a number of helper classes that automatically configure remoting protocols based on the contents of the "),n("code",[e._v("SecurityContextHolder")]),e._v(", these run-as replacements are particularly useful when calling remote web services.")]),e._v(" "),n("h2",{attrs:{id:"configuration"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#configuration"}},[e._v("#")]),e._v(" Configuration")]),e._v(" "),n("p",[e._v("A "),n("code",[e._v("RunAsManager")]),e._v(" interface is provided by Spring Security:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("Authentication buildRunAs(Authentication authentication, Object object,\n\tList<ConfigAttribute> config);\n\nboolean supports(ConfigAttribute attribute);\n\nboolean supports(Class clazz);\n")])])]),n("p",[e._v("The first method returns the "),n("code",[e._v("Authentication")]),e._v(" object that should replace the existing "),n("code",[e._v("Authentication")]),e._v(" object for the duration of the method invocation.\nIf the method returns "),n("code",[e._v("null")]),e._v(", it indicates no replacement should be made.\nThe second method is used by the "),n("code",[e._v("AbstractSecurityInterceptor")]),e._v(" as part of its startup validation of configuration attributes.\nThe "),n("code",[e._v("supports(Class)")]),e._v(" method is called by a security interceptor implementation to ensure the configured "),n("code",[e._v("RunAsManager")]),e._v(" supports the type of secure object that the security interceptor will present.")]),e._v(" "),n("p",[e._v("One concrete implementation of a "),n("code",[e._v("RunAsManager")]),e._v(" is provided with Spring Security.\nThe "),n("code",[e._v("RunAsManagerImpl")]),e._v(" class returns a replacement "),n("code",[e._v("RunAsUserToken")]),e._v(" if any "),n("code",[e._v("ConfigAttribute")]),e._v(" starts with "),n("code",[e._v("RUN_AS_")]),e._v(".\nIf any such "),n("code",[e._v("ConfigAttribute")]),e._v(" is found, the replacement "),n("code",[e._v("RunAsUserToken")]),e._v(" will contain the same principal, credentials and granted authorities as the original "),n("code",[e._v("Authentication")]),e._v(" object, along with a new "),n("code",[e._v("SimpleGrantedAuthority")]),e._v(" for each "),n("code",[e._v("RUN_AS_")]),e._v(" "),n("code",[e._v("ConfigAttribute")]),e._v(".\nEach new "),n("code",[e._v("SimpleGrantedAuthority")]),e._v(" will be prefixed with "),n("code",[e._v("ROLE_")]),e._v(", followed by the "),n("code",[e._v("RUN_AS")]),e._v(" "),n("code",[e._v("ConfigAttribute")]),e._v(".\nFor example, a "),n("code",[e._v("RUN_AS_SERVER")]),e._v(" will result in the replacement "),n("code",[e._v("RunAsUserToken")]),e._v(" containing a "),n("code",[e._v("ROLE_RUN_AS_SERVER")]),e._v(" granted authority.")]),e._v(" "),n("p",[e._v("The replacement "),n("code",[e._v("RunAsUserToken")]),e._v(" is just like any other "),n("code",[e._v("Authentication")]),e._v(" object.\nIt needs to be authenticated by the "),n("code",[e._v("AuthenticationManager")]),e._v(", probably via delegation to a suitable "),n("code",[e._v("AuthenticationProvider")]),e._v(".\nThe "),n("code",[e._v("RunAsImplAuthenticationProvider")]),e._v(" performs such authentication.\nIt simply accepts as valid any "),n("code",[e._v("RunAsUserToken")]),e._v(" presented.")]),e._v(" "),n("p",[e._v("To ensure malicious code does not create a "),n("code",[e._v("RunAsUserToken")]),e._v(" and present it for guaranteed acceptance by the "),n("code",[e._v("RunAsImplAuthenticationProvider")]),e._v(", the hash of a key is stored in all generated tokens.\nThe "),n("code",[e._v("RunAsManagerImpl")]),e._v(" and "),n("code",[e._v("RunAsImplAuthenticationProvider")]),e._v(" is created in the bean context with the same key:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('<bean id="runAsManager"\n\tclass="org.springframework.security.access.intercept.RunAsManagerImpl">\n<property name="key" value="my_run_as_password"/>\n</bean>\n\n<bean id="runAsAuthenticationProvider"\n\tclass="org.springframework.security.access.intercept.RunAsImplAuthenticationProvider">\n<property name="key" value="my_run_as_password"/>\n</bean>\n')])])]),n("p",[e._v("By using the same key, each "),n("code",[e._v("RunAsUserToken")]),e._v(" can be validated it was created by an approved "),n("code",[e._v("RunAsManagerImpl")]),e._v(".\nThe "),n("code",[e._v("RunAsUserToken")]),e._v(" is immutable after creation for security reasons")]),e._v(" "),n("p",[n("RouterLink",{attrs:{to:"/en/spring-security/x509.html"}},[e._v("X509")]),n("RouterLink",{attrs:{to:"/en/spring-security/logout.html"}},[e._v("Logout")])],1)])}),[],!1,null,null,null);t.default=o.exports}}]);