spring security (3.0.x) and user impersonation

Question

In my web application, there are times when an authenticated admin might want to impersonate another valid user of a system without having to know that user\'s password.

Answer 1

It's in the Spring Security 3 and Spring Security 4 docs aptly named, "Run-As Authentication Replacement."

The AbstractSecurityInterceptor is able to temporarily replace the Authentication object in the SecurityContext and SecurityContextHolder during the secure object callback phase.