I am building a web application with spring, hibernated for backend and I am using html,css, javascript jquery forfrontend . I have created signup page, login page and home page. The flow is, User creates account and logins with username and password and if he is authenticated then he is redirected to home page. We do not store password in plaintext form for security reasons. Now I am the administrator and creator of the web application and sometimes a need arises for admin to change data for user or demonstrate what user can do in the interface. What I need to do is create a login session of the user and make changes in his account and/or demonstrate how user can do things on the website(by sharing screen). I want to create a user's session manually, as password is stored in plaintext form I can not login with username and password. Is there a way I can create browser login session without password. I am sharing screenshots of my web applications login page and home page. I am also sharing spring security configuration class. Is there a way I can just specify a username and spring can create a login session for me and I can access user's account just like a normal user session.

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    // add a reference to our security data source

    @Autowired
    private DataSource myDataSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.jdbcAuthentication().dataSource(myDataSource);

    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    
        http.authorizeRequests()
            .antMatchers("/signup_page","/forgot_password","/signup","/reset_password").permitAll()
            .antMatchers("/resources/**").permitAll()
            .anyRequest()
            .authenticated()
            .and()
                .formLogin()
                .loginPage("/login_page")
                .loginProcessingUrl("/authenticateTheUser").permitAll()
                .defaultSuccessUrl("/home_page")
            .and()
                .logout()
                .logoutSuccessUrl("/login_page?logout")
                .deleteCookies("JSESSIONID")
                .invalidateHttpSession(true)
                .permitAll()
            .and()
                .sessionManagement()
                .sessionFixation()
                .migrateSession()
                .invalidSessionUrl("/login_page")
                .maximumSessions(3)
                .expiredUrl("/login_page?logout");
            

    }

}

below are the images of my web application.

CodePudding user response：

Two concepts that you may want to look into are:

1. Pre-Authentication, normally for cases where you are behind a gateway that performs authentication prior to your application (see RequestHeaderAuthenticationFilter)
2. Switch User for cases where an ADMIN needs to impersonate a USER (see SwitchUserFilter)

Both of these require careful consideration and proper use so as not to accidentally open you up to bypassing authentication entirely. If you're just doing this in a development environment, enabling pre-authentication by adding a RequestHeaderAuthenticationFilter could work for you.