The opencast documentation recommend to create a user with a ROLE_SUDO (for each app) to call the external API. The API calls should be done as a regular user. This should guarantee the result of the requested ressource is what the user is allowed to see. This behavior can be achieved by changing the user with X-RUN-AS-USER or X-RUN-WITH-ROLES http-headers.
The current implementation is broken in that fact, because the user switching is done after the spring-security filter chain is applied to each http-request. So opencast check the security on the application user (with ROLE_SUDO) and not the calling user (ie. with some ROLE_API_*_VIEW roles).
Steps to reproduce:
1. create an external user with role ROLE_SUDO
2. create an apiuser with ROLE_API and some optional ROLE_API_EVENTS_VIEW
3. login as external user
4. call http://localhost:8080/api/info/me and check the response is 403, because external user does not have ROLE_API
5. call http://localhost:8080/api/info/me with "X-RUN-AS-USER: apiuser" header
Here we expect a json document with user info but the response is 403 too.