WebFlow + Security: where to go after successful login?

[yaki_nuka]

0 down vote favorite
share [fb] share [tw]


I'm a newbie in Spring WebFlow and Tiles (I use Spring MVC), and I don´t know how to redirect when login is successful, while I'm trying to insert Spring Security. I knows MVC and Spring Security basics.

The current config is:

HTML Code:

<flow xmlns="http://www.springframework.org/schema/webflow"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/webflow
    http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd" start-state="login">

    <view-state id="login" view="login">
        <transition on="proceed" to="checkUser" />
        <transition on="submit" to="checkUser"/>
    </view-state>

    <action-state id="checkUser">
        <evaluate expression="loginController.checkUser"/> <!-- checkUser does login stuff -->
        <transition on="success" to="pestanyas"/>
        <transition on="error" to="login" />
    </action-state>

    <view-state id="pestanyas" view="pestanyas">
        <transition on="...">
    </view-state>

...

</flow>

I'm trying this one:

* Login shows a user/pass form with action="j_spring_security_check" (this works).
* Login is intercepted by my CustomAuthenticationManager, and does login stuff, like authorities and so on (this works).
* And now, when login is successful, where do I go? How can I tell Spring Security to go to the next view? What is the right value in defaultTargetUrl property of SavedRequestAwareAuthenticationSuccessHandler bean?

Authentication is working, but login view is showing once, and again, and again...

I'm using WebFlow 2.3.0 and SpringSecurity 3.0.3.

I hope I have exposed my question in a right way.

Any help is very very apreciated. Thanks you all in advance.

Best regards.

[Marten Deinum]

Why are you reinventing the wheel... You are creating your own login flow/material whereas all that is already provided by Spring Security... I suggest a read of the security chapter in the web flow reference guide.

[yaki_nuka]

Hi Marten, thanks for your answer.

I'm updating an existing application. As you see, login was not secured with Spring Security.

There is a login form, processed by a LoginController, redirected to pestanyas, and so on. I change login action to j_spring_security_check, doing it in a Spring way, with Spring Security, interceptors. But, when login is succeed, which is the success URL in WebFlow?

I have readed chapter 7 of WebFlow reference. I put roles in all views, insert the securityFlowExecutionListener, and now I'm trying to test it, but it's something wrong in the first basic step: login.

Chapter 7 seems so easy but I don't know what's going on, and I'm very desperate. I need the login to be opened for all users, and then, when login succeed, init the normal flow. In addition to this, I need to redirect to login page when a session timeout is happened.

Spring Security does this stuff but I don't know how to integrate with WebFlow. Something was wrong with me.

Thanks again. I don't know how to do.
Best regards

[Marten Deinum]

Remove all login stuff from web flow (the old login stuff) and simply start at the correct state (which isn't login).

[yaki_nuka]

Hi Marten, and thank you again for your suggestions.

Yoy have mentioned the main key for my trouble.
Following your suggestions, I remove the login manual stuff in WebFlow, and do this (the file is brm-flow.xml):

HTML Code:

<flow xmlns="http://www.springframework.org/schema/webflow"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/webflow
        http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd" start-state="pestanyas">

	<view-state id="pestanyas" view="pestanyas">
		<secured attributes="ROLE_ACCESS_PESTANYA"/>
	
		<transition . . . />
		<transition . . . />
. . .

SecurityFlowExecutionListener is also defined in webflow-config.xml:

HTML Code:

<bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener">

In security.xml, I do this:

HTML Code:

<http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">
		<intercept-url pattern="/WEB-INF/views/login.jsp" filters="none" />
		<intercept-url pattern="/WEB-INF/views/pestanyas.jsp" access="ROLE_ACCESS_PESTANYA" />
		...
		
...

My first view after login is "pestanyas" and I put the authority that logged user must have to get into that.

I have my login.jsp in /WEB-INF/views/login.jsp
"pestanyas" is in /WEB-INF/views/pestanyas.jsp

When I try to access the application, it goes directly yo "pestanyas", and cracks with NullPointerException.
All the URLs are http://.../brm-flow.do?execution=e1s1 and something like this.
Default welcome page "index.jsp" redirect to "brm-flow.do".

I think that this should work like this:

• Go to pestanyas
• Check permissions (ROLE_ACCESS_PESTANYA)
• If there is no permission, offer login view to get access
• Check permissions and start session with CustomAuthenticationManager and other SpringSecurity work
• Access

Is this right?

How can I force to make login? Is it right to put physical *.jsp in security XML file?

Thanks again. Best regards

[Marten Deinum]

The fact that a bean is defined doesn't automatically mean that it is used! Have you wired it with the FlowExecutor etc.?

Also you should secure urls which are handled by the application NOT internal urls to jsps, your current url mapping/security is well pretty much useless.

[yaki_nuka]

Marten, I'll review the FlowExecutor issue.

And about urls in the application, all of them are like this: brm-flow.do?execution={flowExecutionID}...

This is a non-descriptive url. I don't know when is in one view, in another... Because of this I did my first question, how can I know or how can I go to the view I want?

This app is so strange. Thanks for your support, Marten.
Best regards.

[Marten Deinum]

You can only go to the start of a flow (that is why it is a flow, you cannot start in the middle)... Security in a flow should be defined in the flow, in either the view, transition of flow...

Again you should secure only urls that are handled by the application (so your brm-flow.do, which is handled by adding security in your flow xml). I suggest a read of spring security and spring web flows reference guides...