Acegi Security System in Spring WebFlow

[senthil_yoga]

Dear everyone,

i have implementedacegi security in Spring MVC and its working out..

But while i migrate the application from Spring MVC to Spring WebFlow ,its not getting worked out..
Should i add any beans optional apart from FlowSecurityInterceptor...

Please give your valuable suggestions
regards
senthil

[senthil_yoga]

Dear everyone,

As i have already said that i have acegi security system working fine with Spring MVC.
And now in order to add some more requirements to the project and improve the efficiency, i need to mgrate the project from Spring MVC to Spring WebFlow.
i am trying to add flow definitions and changing to 'FormAction'...
should i change the secrity also? or leave as it is?
its really confussing !
i was able to do the project using Spring MVC smoothly,but i am really feeling more difficult by changing'FormControllers' to 'FormAction' and Changing 'Acegi Security'...
is there a any easy steps to change....
I have also read the sample applications and i learned the basics...but still !!!
please Anyone give your valuable suggestion!!

regards,
senthil

[JakeRobb]

Hi Senthil,

You said that you are migrating from Spring MVC to Spring Webflow. This worries me. Spring MVC and Spring Webflow serve different purposes. In fact, they work well together.

[senthil_yoga]

Dear JakeRobb and everyone,
Thank you for your advise..

i have followed as you said and i have integrated my application with both Spring Webflow and Spring MVC.
they are working fine...but i am able to secure the pages that had been built using 'SpringMVC'..
How do i secure the 'Flows'...

Please give your valuable suggestions...

Best Regards
senthil

[Marten Deinum]

SWF-93 is a security solution for SWF in combination with Acegi.

[senthil_yoga]

Dear Marten Deinum,
Thank you for your quick reply with a valuable suggestion..,
i will go ahead with the documents and let you know..


Best regards
senthil

[senthil_yoga]

Dear Everyone,

By seeing another document of 'how to secure flows'....
i got a snipnet, but i dont know whether is that the right way to secure....
i will show you the code

flowExecutor is

Code:

<flow:executor id="flowExecutor" registry-ref="flowRegistry"></flow:executor>
<!-- <flow:executor id="flowExecutor" registry-ref="flowRegistry">
<flow:repository type="continuation"/>
<flow:execution-listeners>
<flow:listener ref="flowSecurityListener"/>
</flow:execution-listeners>
</flow:executor> -->

flowSecurityListener

Code:

<bean id="flowSecurityListener" class="FlowSecurityInterceptor">
    <property name="rejectPublicInvocations" value="false"/>
    <property name="authenticationManager" ref="authenticationManager"/>
    <prperty name="accessDecisionManager" ref="accessDecisionManager"/>
    <property name"flowDefinitionSource">
    <value>
    web-flow=ROLE_USER,ROLE_ADMIN
    </value>
    </property>
    </bean>

please give your suggestion

BestRegards
senthil

[jstehler]

Acegi security works through web filters, so if you have it set up based on URL-pattern matching for your spring mvc solution, it should seamlessly transfer to your webflow-based solution.

[Marten Deinum]

Acegi security works through web filters, so if you have it set up based on URL-pattern matching for your spring mvc solution, it should seamlessly transfer to your webflow-based solution.

No it doesn't. Spring Web Flow works with 1 controller and a controller is normally mapped to 1 url (you could ofcourse create multiple mappings but then still someone could circumvent it)

@Senthill

The FlowSecurityListener (at least the flowdefinition source) can be configured in the following way. it takes a collection of key/value pairs the same as the normal method or url security in Acegi. However there are some additional things you can do .

The precise format is

[name-of-flow].{[event|state].[name]}=security

The name-of-flow is required, next to that you can decide to limit the access to an event (transition) or a state to certain roles.

Code:

<property name="flowDefinitionSource">
  <value>
     flow1=ROLE_USER,ROLE_ADMIN,ROLE_SUPERADMIN
     flow2=ROLE_ADMIN,ROLE_SUPERADMIN
     flow2.event.removeuser=ROLE_SUPERADMIN
     flow2.state.usersettings=ROLE_SUPERADMIN
  </value>
</property>

In the above configuration someone with the ROLE_USER has access to everything from flow1 and further nothing. If you have ROLE_ADMIN you can access flow1 and flow2. However to remove a user you have to be ROLE_SUPERADMIN.

Here is a presentation/workshop I gave it is in dutch but the configuration and pictures should be understandable.

I also have some workshop code, it is still all in dutch (maybe I need to translate it into english hmm) but if you want I can send it to you.

If you have any suggestions/questions regarding SWF-93 feel free to contact me.

[senthil_yoga]

Dear Marten Deinum,

Thank you a lot for your valuable suggestions and the presentation that you gave was helpfull and quite understandable...

I would be really happy, if you send me some more workshop codes and that would be more helpfull...
And i would definetly ask suggestions/questions about SWF-93 later ..

Once again i thank you for your valuable suggestions..

Best Regards,
senthil