A client of ours I visited a couple of weeks ago had successfully prototyped Spring WebFlow security. The solution was pretty elegant, although when looking at it from a configuration perspective, it wasn’t entirely perfect. I offered to take over the code and help out with refactoring it so it could be integrated into their code much in the same way as Acegi Security method interceptors work.
This morning I finally got to doing so and I ended up with a solution that is not even 500 lines of code long (including extensive JavaDoc) and integrates perfectly with existing facilities offered by Acegi. I am going to integrate the solution with the client this afternoon (if the snow doesn’t prevent me from getting to their office; it’s snowing *right now* and if in Holland there’s a tiny bit of snow, all traffic comes to a grinding halt). The following is a configuration snippet that allows you to secure a flow based on states, event and the flow identifier itself. Other than that, it has the same configuration properties as the MethodSecurityInterceptor (it’s in the same class hierarchy).
admin-flow=SUPER_USER
order-flow=SUPER_USER,CUSTOMER
order-flow.state.enterShippingDetails=SUPER_USER,CUSTOMER
order-flow.event.cancel=SUPER_USER
This pretty much proves the extensibility of Acegi Security again. This is the third time already I’ve integrated a new system with Acegi Security to provide security at yet another level (two other times I integrated it with other clients’ internal security systems). All three times, it didn’t take me more than 500 lines of code if I remember correctly.
In some form or another, this feature will be available in Spring WebFlow as soon as we can get it in. Keep monitoring SWF-93 if you’re interested.
Thanks for this solution for integrating Acegi and SWF.
Please, could you post a spring configuration example?
Thanks again.
Hi again.
The problem was that we use webflow integrated with JSF. Then, the JSF integration does not use the flow executor at all, it fits in executor service logic across JSF Phase Listener methods.
The solution is:
…-flow=ROLE_USER,…
…-flow=ROLE_SUPERVISOR
Thanks again for this elegant solution.
Sorry, the solution didn’t appear because of the XML tags??
Just starting to use Spring Webflow after having used Spring MVC and Acegi for a while but found security of flows to be a bit of an issue.
This looks exactly the sort of solution that I am looking for but when I took the code into my Spring 2.0.4 / Acegi 1.0.3 project I got the following error:
rg.springframework.beans.factory.BeanNotOfRequiredTypeException: Bean named ‘flowSecurityInterceptor’ must be of type [javax.servlet.Filter], but was actually of type [org.springframework.webflow.security.FlowSecurityInterceptor]
I am not sure if i have configured this correctly. This is what I have done:
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=…,flowSecurityInterceptor
…
example-flow=ROLE_EXAMPLE_LIST
Any suggestions?
Thanks in advance for the help.
Same as above i’m not quite sure how to tie in the FlowSecurityInterceptor with the filter chain??? should i be thinking about using a proxy over some object from the webflow framework?
Thanks
Hi,
Thanks for this solution. Are there any plans to bundle it either with Spring WebFlow or Acegi Security distribution jars?