Sure. In fact, the implementation will strongly depend on the version of the CAS server and the way you authenticate your Admin user. It's probably easier with the new CAS server 4.0 as everything can be done in an authentication handler [1] without using a principal resolver.
Let's say that your Admin user is authenticated by a login and a password and has an IP in a specific range. I would change the login page to post a new field : impersonatedUsername. In the handler, I would first verify the Admin credentials against a DB, a LDAP or whatever your datastore is. I would also retrieve the request from the thread local object (ExternalContextHolder if I'm not mistaken) to get the new field and the IP. I would check the IP. Then, if everything is ok, I would retrieve the user data (from the impersonatedUsername) and return this principal. One more thing to do is to save that this is an impersonation, certainly as an authentication attribute. Best, Jérôme [1] https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/authentication/AuthenticationHandler.java 2013/12/17 Idan Fridman <[email protected]> > Hi, > > " Though, I think you could achieve that by creating the appropriate > handler" > > > > Could you abit elaborate on that one? Some leads how to implement this. > > > > Thanks > > > > *From:* Jérôme LELEU [mailto:[email protected]] > *Sent:* Tuesday, December 17, 2013 9:15 AM > *To:* [email protected] > *Subject:* Re: [cas-user] Impersonation support > > > > Hi, > > > > CAS doesn't have that feature out of the box. Though, I think you could > achieve that by creating the appropriate handler : it would take the Admin > credentials as well as the username to impersonate. > > > > The main challenge and concern here is security, as this mecanism is > extremely powerful. If I can trick it, I could be anyone. > > > > The level of security requested for the Admin user should be higher than > for a regular user : IP filtering or one-time password code could be extra > checks (in addition to login/pwd) to mitigate risks. > > > > Best regards, > > Jérôme > > > > > > 2013/12/16 ray <[email protected]> > > I would like to know if cas support impersonation? > For example an Admin user can have the ability to "pretend" to be some > regular user and have his roles, permissions, etc.. > > Something like Facebook feature: ".. View as Specific Person" > > If CAS doesn't support that out of the box any suggestions how to work > around for doing that? > > Thanks, > ray. > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > This e-mail and the information it contains may be privileged and/or > confidential. It is intended solely for the use of the named recipient(s). > If you are not the intended recipient you may not disclose, copy, > distribute or retain any part of this message or attachments. If you have > received this e-mail in error please notify the sender immediately [by > clicking 'Reply'] and delete this e-mail. > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
