Announcement Announcement Module
No announcement yet.
ACL based security in Webflow Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL based security in Webflow

    Spring Web-flow supports role based authentication out of the box. However it is not very clear how we can use other AccessDecisionManagers for custom authorization decisions. The problem here is that there is no straight forward way to pass objects from Webflow to the AccessDecisionManagers. The decision manager's decide method has the following signature

    void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
    Here the config attribute provides the strings, specified in the <secured> element, while the object supplied is the ViewState (or Transition) on which the <secured> element is applied. So there doesn't seem to be straightforward way of accessing objects in the current flow-execution.

    To put things in perspective, a simple use case might be to load an object by it's id in the web-flow and then allow an 'update' transition to occur only if the current user has 'edit' permissions on the object.

    Is there a some built-in functionality in web-flow security that can be used to pass objects from the current FlowExecution to the AccessDecisionManager ? If not, what would be a good way to achieve this ?

    Thanks for your help !!