To have everything consistent in my web application using spring framework, webflow and jsp, I want to be able to use the same expressions in all 3 layers (gui, flows, services) without an access decision manager, just with my permission evaluator:

gui: jsp tag authorize + attribute "access"
services: annotations @PreAuthorize etc.
webflow: element "secured" with attribute "attributes"

so I implemented my own FlowExecutionListenerAdapter in order to include my own Expression Handler (implementing SecurityExpressionHandler<RequestContext>) in which I just put the variables from the flow scopes (in the same order specified in the documentation).

That is when I run into a issue, the "attributes" expression of the "secured" element is split by commas to return a collection of SecurityConfig. I tried to use a method to transform the collection back to the original string but the randomness of the order in the collection makes it impossible (especially if you want to use hasPermission with a array of variables).

And the code splitting the string is in FlowModelFlowBuilder.

From there, seeing that I would not be able to get it working without modifying the code and recompiling the jar, I decided to add a new attribute that I called "access" to be consistent with the authorize tag and the intercept-url.

I then updated the appropriate code and put the new attribute in the xsd and everything is working perfectly fine.

My flows can now be secured using something like
Code:
<secured access="hasRole('ROLE_USER') and hasPermission({#myVar1,#myVar2},'somePermission')"/>
So, I wanted to know:
  • is there are any other ways to do that without having to modify the code in the library?
  • if not, what should I named the attribute that I am using for that purpose? Is "access" what might be use in the future? (I want to avoid having to refactor all my code when this will be supported)