To impersonate user outside from Control Panel you just need to generate "magic" parameter (doAsUserId=) which contains encrypted target user id. I used liferay-security tag for that:
<liferay-security:doasurl doAsUserId="${command.doAsUserId}" var="impersonateUserURL" />
You can manually "encrypt" paroper parameter value, just look for examples in com.liferay.taglib.security.DoAsURLTag sources :-)
Real user needs to have permission to impersonate. This can be defined in custom role (regular) with portal permission User: Impersonate: scope=portal
