CSR Site Direct Login

Available as of enterprise module version 3.2.2-GA

Broadleaf already allows a CSR to transfer from the admin tool to the site as a specific target user. This new feature
allows a CSR user to bypass the admin tool and login directly from the site's customer login facility. If login is
successful, the user's session will be in CSR mode and the CSR will be able to switch to a target user from the CSR
header bar in the UI. Furthermore, the site can be configured to allow the CSR to change the target user's password. However,
since there are security implications with such an action, we suggest auditing changes to the CustomerImpl domain using
the Standard Audit Logging feature.

Configuring Site Direct Login

1. Configure Spring Security
2. (Optional) Support CSR Change Customer Password
3. Make the admin password encoder available to site
4. Enable the Feature

Spring Security

By default, the Spring Security configuration for site uses a single authentication provider. However, in this case,
we want to have two authentication providers so that we can also check if the login is for a qualified admin user (e.g. CSR).

First, to SiteSecurityConfig.java, add the following two resources to support authenticating a CSR.

@Resource(name="blCSRCapableUserDetailsService")
protected UserDetailsService csrDetailsService;

@Resource(name="blAdminPasswordEncoder")
protected PasswordEncoder csrPasswordEncoder;

Next, change the SiteSecurityConfig#configure method to the following implementation in order to inform the Spring Security
infrastructure that multiple providers are in play.

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    DaoAuthenticationProvider basic = new DaoAuthenticationProvider();
    basic.setUserDetailsService(userDetailsService);
    basic.setPasswordEncoder(passwordEncoder);
    auth.authenticationProvider(basic);

    DaoAuthenticationProvider csr = new DaoAuthenticationProvider();
    csr.setUserDetailsService(csrDetailsService);
    csr.setPasswordEncoder(csrPasswordEncoder);
    auth.authenticationProvider(csr);
}

Finally, change the AuthenticationSuccessHandler field to reference a CSR capable version.

@Resource(name="blCSRCapableAuthenticationSuccessHandler")
protected AuthenticationSuccessHandler successHandler;

(Optional) Support CSR Change Customer Password

In ChangePasswordController.java (this is usually located in your site project), extend CSRAwareChangePasswordController
instead of BroadleafChangePasswordController. That's it.

Admin Password Encoder

By default, the admin password encoder implementation property is not available to site. The encoder is required to properly
validate the CSR login. You can make the encoder available to site by copying the property value for password.admin.encoder
to property files visible to the site. This is generally as simple as setting the value in common-shared.properties for the
development version of the property (usually NoOpPasswordEncoder), and then setting the more secure version in production-shared.properties.
For example, in common-shared.properties:

password.admin.encoder=org.springframework.security.crypto.password.NoOpPasswordEncoder

Enabling the Feature

Finally, the feature must be enabled or it will remain dormant. Enabling is as simple as adding the site.enable.direct.csr.auth=true
property to common-shared.properties.