We're updating the issue view to help you get more done. 

Springsecurity filter should be applied after switching user for external API

Description

The opencast documentation recommend to create a user with a ROLE_SUDO (for each app) to call the external API. The API calls should be done as a regular user. This should guarantee the result of the requested ressource is what the user is allowed to see. This behavior can be achieved by changing the user with X-RUN-AS-USER or X-RUN-WITH-ROLES http-headers.
The current implementation is broken in that fact, because the user switching is done after the spring-security filter chain is applied to each http-request. So opencast check the security on the application user (with ROLE_SUDO) and not the calling user (ie. with some ROLE_API_*_VIEW roles).

Steps to reproduce:
1. create an external user with role ROLE_SUDO
2. create an apiuser with ROLE_API and some optional ROLE_API_EVENTS_VIEW
3. login as external user
4. call http://localhost:8080/api/info/me and check the response is 403, because external user does not have ROLE_API
5. call http://localhost:8080/api/info/me with "X-RUN-AS-USER: apiuser" header

Here we expect a json document with user info but the response is 403 too.

Steps to reproduce

None

Status

Assignee

Waldemar Smirnow

Reporter

Waldemar Smirnow

Criticality

None

Tags (folksonomy)

None

Components

Fix versions

Affects versions

2.3.0

Priority

Major