Re: Admin password for Tomcat

Sun, 05 Nov 2023 07:27:37 -0800 

Jerry,

On 11/4/23 20:17, Jerry Malcolm wrote:
My support team needs to be able to log in to our site as various users (on behalf of...) to be able to see exactly what they are seeing since roles, access groups, history is different for different users.  I would like to implement an admin password where I can log in as any userId with this password.  I totally realize the security risks involved in this.  But I am handling the security risks with additional authorizations.  I simply need to make every user have two passwords... their real personal password, and the admin password.  The only alternative I have right now is to save off the user's password hash in the USERS table, replace it with my password hash, then restore the user's original password when I'm done.  I'm not thrilled with that solution first because it's a pain and error prone, and also because the user can no longer log in while their password is replaced with my password. 


  I figure this function is buried in the authenticator code somewhere. 
But I'd first like to see if anybody has done anything like this 
already.  If not, could somebody point me in the right direction to the 
tomcat source file that I'm going to need to modify and also what's 
involved in making authentication use my updated class instead of the 
default.


Suggestions?



This sounds like "impersonation" to me, which, I think, can be done 
differently. If you are indeed describing an X-Y problem above, then 
might I suggest the following?



Instead of figuring out how to "add" a second password to a user, what 
about allowing you to login as e.g. "jerry" and then assume the identity 
of the user "tom"? You should be able to do this by changing the 
UserPrincipal in the session to have a different username.



Which application are you trying to do this with? Your own application, 
or one which ships with Tomcat (e.g. Manager)?


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to