Announcement Announcement Module
No announcement yet.
using hasPermission, hasRole etc in WebFlow Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • using hasPermission, hasRole etc in WebFlow

    To have everything consistent in my web application using spring framework, webflow and jsp, I want to be able to use the same expressions in all 3 layers (gui, flows, services) without an access decision manager, just with my permission evaluator:

    gui: jsp tag authorize + attribute "access"
    services: annotations @PreAuthorize etc.
    webflow: element "secured" with attribute "attributes"

    so I implemented my own FlowExecutionListenerAdapter in order to include my own Expression Handler (implementing SecurityExpressionHandler<RequestContext>) in which I just put the variables from the flow scopes (in the same order specified in the documentation).

    That is when I run into a issue, the "attributes" expression of the "secured" element is split by commas to return a collection of SecurityConfig. I tried to use a method to transform the collection back to the original string but the randomness of the order in the collection makes it impossible (especially if you want to use hasPermission with a array of variables).

    And the code splitting the string is in FlowModelFlowBuilder.

    From there, seeing that I would not be able to get it working without modifying the code and recompiling the jar, I decided to add a new attribute that I called "access" to be consistent with the authorize tag and the intercept-url.

    I then updated the appropriate code and put the new attribute in the xsd and everything is working perfectly fine.

    My flows can now be secured using something like
    <secured access="hasRole('ROLE_USER') and hasPermission({#myVar1,#myVar2},'somePermission')"/>
    So, I wanted to know:
    • is there are any other ways to do that without having to modify the code in the library?
    • if not, what should I named the attribute that I am using for that purpose? Is "access" what might be use in the future? (I want to avoid having to refactor all my code when this will be supported)