Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Does Spring Web Flow 2 have role based authorization to execute flow feature?

 
Hong Anderson
Ranch Hand
Posts: 1936
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Like specify in configuration which role can execute which flow/subflow.
 
Sagar Kale
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I guess security will be taken care by Spring Security(Acegi).
 
Hong Anderson
Ranch Hand
Posts: 1936
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sagar Kale wrote:I guess security will be taken care by Spring Security(Acegi).

Hmm, what security? There are many topics in security, but I'm talking about Role-based authorization in Spring Web Flow 2.

Spring Web Flow 2 should have some kind of interfaces/generic implementations and able to plug external security framework like Spring Security.
Saying just Spring Security takes care security concern is not clear to me.
 
Sagar Kale
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kengkaj Sathianpantarit wrote:
Hmm, what security? There are many topics in security, but I'm talking about Role-based authorization in Spring Web Flow 2.

Spring Web Flow 2 should have some kind of interfaces/generic implementations and able to plug external security framework like Spring Security.
Saying just Spring Security takes care security concern is not clear to me.


I know there are many topics in security and I am not discussing many topics but just role based authorization.
Well I don't know Spring Web Flow but I guess Acegi security which is known as Spring Security now, gets integrated with Spring MVC. It should not have problem getting integrated to Spring Web Flow.
 
Hong Anderson
Ranch Hand
Posts: 1936
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sagar Kale wrote:
Well I don't know Spring Web Flow but I guess Acegi security which is known as Spring Security now, gets integrated with Spring MVC. It should not have problem getting integrated to Spring Web Flow.

My question is not how to use Spring Security in Spring Web Flow, but if Spring Web Flow has role-based authorization feature.

How Spring Security integrate with Spring Web MVC? I'm not aware of that. Or do you mean integrate with Spring?
 
Sagar Kale
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kengkaj Sathianpantarit wrote:
My question is not how to use Spring Security in Spring Web Flow, but if Spring Web Flow has role-based authorization feature.

How Spring Security integrate with Spring Web MVC? I'm not aware of that. Or do you mean integrate with Spring?


Please find tutorial here. Spring Security tutorial. If you google, you will get more tutorials.

You have to configure it in web.xml like following

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>



security.xml

<security:http auto-config="true">
<security:form-login login-page="/login.jsp"
default-target-url="/home.htm"
authentication-failure-url="/login.jsp?error=true" />

<security:logout logout-success-url="/login.jsp" />
<security:intercept-url pattern="/home.htm*" access="ROLE_USER" />
<security:intercept-url pattern="/empList.htm*"
access="ROLE_USER" />
<security:intercept-url pattern="/addEmp.htm*"
access="ROLE_ADMIN" />
</security:http>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="secret"
authorities="ROLE_ADMIN,ROLE_USER" />
<security:user name="user1" password="1111"
authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>


I copied some configuration. You will have to read tutorials before you understand what these configuration means. Notice ROLE_ADMIN and ROLE_USER that what you were talking about right?


I have question to Markus, does the book covers examples of configuring Spring Security with Spring Web Flow?





 
Markus Staeuble
Author
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The book covers the topic security, especially the integration with spring security (chapter 7):
Additionally you can check the reference documentation: http://static.springframework.org/spring-webflow/docs/2.0.x/reference/htmlsingle/spring-webflow-reference.html#flow-security
 
Sagar Kale
Ranch Hand
Posts: 188
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Markus
 
Hong Anderson
Ranch Hand
Posts: 1936
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sagar Kale wrote:
Kengkaj Sathianpantarit wrote:
My question is not how to use Spring Security in Spring Web Flow, but if Spring Web Flow has role-based authorization feature.

How Spring Security integrate with Spring Web MVC? I'm not aware of that. Or do you mean integrate with Spring?


Please find tutorial here. Spring Security tutorial. If you google, you will get more tutorials.

You have to configure it in web.xml like following

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>



security.xml

<security:http auto-config="true">
<security:form-login login-page="/login.jsp"
default-target-url="/home.htm"
authentication-failure-url="/login.jsp?error=true" />

<security:logout logout-success-url="/login.jsp" />
<security:intercept-url pattern="/home.htm*" access="ROLE_USER" />
<security:intercept-url pattern="/empList.htm*"
access="ROLE_USER" />
<security:intercept-url pattern="/addEmp.htm*"
access="ROLE_ADMIN" />
</security:http>

Thanks for info, Sagar.
But you might misunderstand, from example it has nothing to do with Spring Web MVC. It can protect in url-pattern level and method invocation level which means that it can be used with any web MVC frameworks or can be used with plain old Servlets.

So I think that Spring Web Flow 2 has no role-based authorization feature. I know, we can use Spring Security, but my point is Spring Web Flow should have this feature (no need to use Spring Security to set flow authorizations).
 
Nathan Pruett
Bartender
Posts: 4121
IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Spring Web flow just handles the flow between pages/states in your application. You can use Spring Security to protect methods that are invoked from Spring Web Flow. Or you can implement role based security however you want and invoke it from an action state.
 
Padmapriya Ranganathan
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
disclaimer: I'm not a security expert !

As per my knowledge, the role based authentication and/or authorization lean towards application dependency. No generalized framework can provide complete feature for this.
 
Hong Anderson
Ranch Hand
Posts: 1936
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Padmapriya Ranganathan wrote:No generalized framework can provide complete feature for this.

No, it can . Why not?
 
Venkat Sidh
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I am correct, I think you can plug-in JAAS.
 
Mourouganandame Arunachalam
Ranch Hand
Posts: 396
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kengkaj Sathianpantarit wrote:
Padmapriya Ranganathan wrote:No generalized framework can provide complete feature for this.

No, it can . Why not?


I think it is not possible to achieve this without using other plug-ins.... Spring cannot have sophisticated feature for role based authorization, coz its again specific application related.
 
Padmapriya Ranganathan
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kengkaj Sathianpantarit wrote:
Padmapriya Ranganathan wrote:No generalized framework can provide complete feature for this.

No, it can . Why not?



Really !!? Can you please provide an example for this? (after all learning is part of our life ! ) I think none of the framework provides full featured role based security without using other plugins like JAAS.
 
Hong Anderson
Ranch Hand
Posts: 1936
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Padmapriya Ranganathan wrote:
Kengkaj Sathianpantarit wrote:
Padmapriya Ranganathan wrote:No generalized framework can provide complete feature for this.

No, it can . Why not?



Really !!? Can you please provide an example for this? (after all learning is part of our life ! ) I think none of the framework provides full featured role based security without using other plugins like JAAS.

Hmm, why you do you think a generalize framework *cannot* provide role-based authorization? It's just coding after all, if we want to support we just write codes for it.

The examples are EJB container (support role-based security in method invocation level), Servlet container (support role-based security in URL-pattern level).

And it's not about plug-in it's about the infrastructure of framework itself supports the feature or not.
Learning is good, but way of thinking is more important .
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic