I think I got this. Going to extend JpaIdentityStore with a new method called impersonate that basically does the same thing as authenticate without the password check. I'll annotate with the appropriate role for added security.

Rick

ok, maybe not. Got the code, just can't seem to slip in my customer JpaIdentityStore in place of the bundled version. Saw many mentions of this being possible, but not seeing the hook that makes the magic happen. Anyone have any tips? In the meantime, I'll take a look at the examples.

Rick

Was able to override a method but after adding my impersonate method to my custom JpaIdentityStore, the IdentityStore interface, and my IdentityManager, I get the following error on any action bean where IdentityManager was being injected:

@In attribute requires non-null value: myForm.identityManager

This happens whether or not I declare my @In IdentityManager identityManger using my custom class or the default.

Have you looked at RunAs?

Not sure on exactly how you would implement this in your particular app.

But we had the same requirements for an app years ago. What we did is just stored the user credentials on the stack.

So you could keep in theory adding on to that stack. And the log off would just pop the top one off. And when you had no more you;d be gone.

You'd have to overwrite some of the Identity class to do this. But if all you really care about is the username, roles, and permissions then it wouldn't be much to worry about.

Thanks Daniel and all the rest that contributed -- Looks like @AutoCreate is the winner here. I now have user-switching in my app. The RunAs tip was good, more about executing a single operation as an impersonated user... I'm switching the entire login context to the destination user.

When I get thru this project, I'll definitely contrib a how-to on this topic and perhaps a patch that will include my impersonate method in the IdentityManager class.

Rick