Announcement Announcement Module
No announcement yet.
Acegi Security System in Spring WebFlow Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Acegi Security System in Spring WebFlow

    Dear everyone,

    i have implementedacegi security in Spring MVC and its working out..

    But while i migrate the application from Spring MVC to Spring WebFlow ,its not getting worked out..
    Should i add any beans optional apart from FlowSecurityInterceptor...

    Please give your valuable suggestions

  • #2
    help needed

    Dear everyone,

    As i have already said that i have acegi security system working fine with Spring MVC.
    And now in order to add some more requirements to the project and improve the efficiency, i need to mgrate the project from Spring MVC to Spring WebFlow.
    i am trying to add flow definitions and changing to 'FormAction'...
    should i change the secrity also? or leave as it is?
    its really confussing !
    i was able to do the project using Spring MVC smoothly,but i am really feeling more difficult by changing'FormControllers' to 'FormAction' and Changing 'Acegi Security'...
    is there a any easy steps to change....
    I have also read the sample applications and i learned the basics...but still !!!
    please Anyone give your valuable suggestion!!



    • #3
      Hi Senthil,

      You said that you are migrating from Spring MVC to Spring Webflow. This worries me. Spring MVC and Spring Webflow serve different purposes. In fact, they work well together.


      • #4
        Dear JakeRobb and everyone,
        Thank you for your advise..

        i have followed as you said and i have integrated my application with both Spring Webflow and Spring MVC.
        they are working fine...but i am able to secure the pages that had been built using 'SpringMVC'..
        How do i secure the 'Flows'...

        Please give your valuable suggestions...

        Best Regards


        • #5
          SWF-93 is a security solution for SWF in combination with Acegi.


          • #6
            Dear Marten Deinum,
            Thank you for your quick reply with a valuable suggestion..,
            i will go ahead with the documents and let you know..

            Best regards


            • #7
              Dear Everyone,

              By seeing another document of 'how to secure flows'....
              i got a snipnet, but i dont know whether is that the right way to secure....
              i will show you the code

              flowExecutor is
              <flow:executor id="flowExecutor" registry-ref="flowRegistry"></flow:executor>
              <!-- <flow:executor id="flowExecutor" registry-ref="flowRegistry">
              <flow:repository type="continuation"/>
              <flow:listener ref="flowSecurityListener"/>
              </flow:executor> -->
              <bean id="flowSecurityListener" class="FlowSecurityInterceptor">
                  <property name="rejectPublicInvocations" value="false"/>
                  <property name="authenticationManager" ref="authenticationManager"/>
                  <prperty name="accessDecisionManager" ref="accessDecisionManager"/>
                  <property name"flowDefinitionSource">
              please give your suggestion



              • #8
                Acegi security works through web filters, so if you have it set up based on URL-pattern matching for your spring mvc solution, it should seamlessly transfer to your webflow-based solution.


                • #9
                  Originally posted by jstehler
                  Acegi security works through web filters, so if you have it set up based on URL-pattern matching for your spring mvc solution, it should seamlessly transfer to your webflow-based solution.
                  No it doesn't. Spring Web Flow works with 1 controller and a controller is normally mapped to 1 url (you could ofcourse create multiple mappings but then still someone could circumvent it)


                  The FlowSecurityListener (at least the flowdefinition source) can be configured in the following way. it takes a collection of key/value pairs the same as the normal method or url security in Acegi. However there are some additional things you can do .

                  The precise format is


                  The name-of-flow is required, next to that you can decide to limit the access to an event (transition) or a state to certain roles.

                  <property name="flowDefinitionSource">
                  In the above configuration someone with the ROLE_USER has access to everything from flow1 and further nothing. If you have ROLE_ADMIN you can access flow1 and flow2. However to remove a user you have to be ROLE_SUPERADMIN.

                  Here is a presentation/workshop I gave it is in dutch but the configuration and pictures should be understandable.

                  I also have some workshop code, it is still all in dutch (maybe I need to translate it into english hmm) but if you want I can send it to you.

                  If you have any suggestions/questions regarding SWF-93 feel free to contact me.
                  Last edited by Marten Deinum; Oct 10th, 2007, 12:17 PM.


                  • #10
                    Dear Marten Deinum,

                    Thank you a lot for your valuable suggestions and the presentation that you gave was helpfull and quite understandable...

                    I would be really happy, if you send me some more workshop codes and that would be more helpfull...
                    And i would definetly ask suggestions/questions about SWF-93 later ..

                    Once again i thank you for your valuable suggestions..

                    Best Regards,


                    • #11
                      Hi, just wondering if I could get a copy of your workshop code.

                      I saw in another thread that it was committed in march i think...not included in the head dist though?

                      any reason why?

                      I noticed that in the FlowSecurityIntereceptor class that it is missing the sessionCreated method, is that so that people are forced to implement it? or did the FlowExecutionListener interface change since the code was created?

                      just wondering



                      • #12
                        If I'm not mistaken I committed a new zip with classes some time ago, that one includes the sessionCreated method. It wasn't there because the first version didn't include that method, it was introduced in SWF 1.0.4, we developed it at first for 1.0...


                        • #13
                          yup, you are bad...downloaded both then opened the zip that was at the top of the page.


                          • #14
                            We are using it with SWF 1.0.5 currently works like a charm. Haven't (yet) tested it with 2.0M1 or nightly builds for 2.0, maybe something to do when my laptop returns


                            • #15
                              im using 1.0.4 and still slogging through...i think it shouldnt be too hard to get it working though.