A client of ours I visited a couple of weeks ago had successfully prototyped Spring WebFlow security. The solution was pretty elegant, although when looking at it from a configuration perspective, it wasn’t entirely perfect. I offered to take over the code and help out with refactoring it so it could be integrated into their code much in the same way as Acegi Security method interceptors work.
This morning I finally got to doing so and I ended up with a solution that is not even 500 lines of code long (including extensive JavaDoc) and integrates perfectly with existing facilities offered by Acegi. I am going to integrate the solution with the client this afternoon (if the snow doesn’t prevent me from getting to their office; it’s snowing *right now* and if in Holland there’s a tiny bit of snow, all traffic comes to a grinding halt). The following is a configuration snippet that allows you to secure a flow based on states, event and the flow identifier itself. Other than that, it has the same configuration properties as the MethodSecurityInterceptor (it’s in the same class hierarchy).
admin-flow=SUPER_USER
order-flow=SUPER_USER,CUSTOMER
order-flow.state.enterShippingDetails=SUPER_USER,CUSTOMER
order-flow.event.cancel=SUPER_USER
This pretty much proves the extensibility of Acegi Security again. This is the third time already I’ve integrated a new system with Acegi Security to provide security at yet another level (two other times I integrated it with other clients’ internal security systems). All three times, it didn’t take me more than 500 lines of code if I remember correctly.
In some form or another, this feature will be available in Spring WebFlow as soon as we can get it in. Keep monitoring SWF-93 if you’re interested.
.
