Jerry,
On 11/4/23 20:17, Jerry Malcolm wrote:
My support team needs to be able to log in to our site as various users
(on behalf of...) to be able to see exactly what they are seeing since
roles, access groups, history is different for different users. I would
like to implement an admin password where I can log in as any userId
with this password. I totally realize the security risks involved in
this. But I am handling the security risks with additional
authorizations. I simply need to make every user have two passwords...
their real personal password, and the admin password. The only
alternative I have right now is to save off the user's password hash in
the USERS table, replace it with my password hash, then restore the
user's original password when I'm done. I'm not thrilled with that
solution first because it's a pain and error prone, and also because the
user can no longer log in while their password is replaced with my
password.
I figure this function is buried in the authenticator code somewhere.
But I'd first like to see if anybody has done anything like this
already. If not, could somebody point me in the right direction to the
tomcat source file that I'm going to need to modify and also what's
involved in making authentication use my updated class instead of the
default.
Suggestions?
This sounds like "impersonation" to me, which, I think, can be done
differently. If you are indeed describing an X-Y problem above, then
might I suggest the following?
Instead of figuring out how to "add" a second password to a user, what
about allowing you to login as e.g. "jerry" and then assume the identity
of the user "tom"? You should be able to do this by changing the
UserPrincipal in the session to have a different username.
Which application are you trying to do this with? Your own application,
or one which ships with Tomcat (e.g. Manager)?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org