cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Impersonate user for the UME

Go to solution
Former Member

on ‎04-28-2014 8:48 AM

0 Kudos

Hi all,

I have a requirement to change the user I recieve if calling the method UMFactory.getAuthenticator().getLoggedInUser() ar runtime in my servlet deployed to SAP NW AS Java. I know it sounds weird, but please trust me, that I need it really (i.e. bad design etc. are already taken in account)  .

I.e. I need following: I have a servlet, which will be called in the context of user A. Then I have to do some work, let's say: Method X -> Method Y -> Method Z

What I want to do is to call the method Y in the context of the User B (= UMFactory.getAutneticator().getLoggedInUser() == User B). Is there a possibility to do this?

One approach is only come to my mind is to transfer the code of method Y in a separate servlet and call it from my original servlet with other authentication information....But this approach is as weird as the question itself (performance etc.) .

Do anybody knows the better approach?

Thank you in advance and best regards,

Artem

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-28-2014 6:54 PM
0 Kudos

If it is possible, it is a bug in the system. Applications shouldn't be able to fake the identity of the user. The only way to gain identity X is to authenticate as X, even if the credentials are hard coded. Instead you should look at ways to perform the "methods" with different identities. You mention performance, that narrows it down. There might be something in the Java EE specification which I'm not too familiar with. Anyway, I would consider exposing the "methods" as web services. I'm pinging the and spaces to increase the visibility of this discussion thread.

Show replies
Show replies
Former Member
‎04-30-2014 8:32 AM
0 Kudos

Hi Samuli,

thank you for your feedback! The problem is, that I have no influence on the client side, i.e. I have only one request, which should be answered in the synchronous way.

However just as you, because of security reasons, I didn't really elieve that there is some way to do this, but I found out, that it's possible (thx @ for the tip). Here the code snippet:




IUser userB= UMFactory.getUserFactory().getUserByLogonID("userB");


Subject subject = new Subject(


            true, new HashSet<IUser>(Arrays.asList(new IUser[] { userB})), Collections.emptySet(), Collections.emptySet());




Subject.doAs(subject, new PrivilegedAction<String>() {




     @Override


     public String run() {


               // do the stuff of the method Y


     }


});

Thank you and best regards,

Artem

former_member191660
Participant
‎04-30-2014 9:25 AM
0 Kudos

you're welcome

Answers (0)

Ask a Question