This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Spring and the fly likes Does Spring Web Flow 2 have role based authorization to execute flow feature? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Does Spring Web Flow 2 have role based authorization to execute flow feature?" Watch "Does Spring Web Flow 2 have role based authorization to execute flow feature?" New topic
Author

Does Spring Web Flow 2 have role based authorization to execute flow feature?

Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Like specify in configuration which role can execute which flow/subflow.


SCJA 1.0, SCJP 1.4, SCWCD 1.4, SCBCD 1.3, SCJP 5.0, SCEA 5, SCBCD 5; OCUP - Fundamental, Intermediate and Advanced; IBM Certified Solution Designer - OOAD, vUML 2; SpringSource Certified Spring Professional
Sagar Kale
Ranch Hand

Joined: May 02, 2008
Posts: 188
I guess security will be taken care by Spring Security(Acegi).
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Sagar Kale wrote:I guess security will be taken care by Spring Security(Acegi).

Hmm, what security? There are many topics in security, but I'm talking about Role-based authorization in Spring Web Flow 2.

Spring Web Flow 2 should have some kind of interfaces/generic implementations and able to plug external security framework like Spring Security.
Saying just Spring Security takes care security concern is not clear to me.
Sagar Kale
Ranch Hand

Joined: May 02, 2008
Posts: 188
Kengkaj Sathianpantarit wrote:
Hmm, what security? There are many topics in security, but I'm talking about Role-based authorization in Spring Web Flow 2.

Spring Web Flow 2 should have some kind of interfaces/generic implementations and able to plug external security framework like Spring Security.
Saying just Spring Security takes care security concern is not clear to me.


I know there are many topics in security and I am not discussing many topics but just role based authorization.
Well I don't know Spring Web Flow but I guess Acegi security which is known as Spring Security now, gets integrated with Spring MVC. It should not have problem getting integrated to Spring Web Flow.
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Sagar Kale wrote:
Well I don't know Spring Web Flow but I guess Acegi security which is known as Spring Security now, gets integrated with Spring MVC. It should not have problem getting integrated to Spring Web Flow.

My question is not how to use Spring Security in Spring Web Flow, but if Spring Web Flow has role-based authorization feature.

How Spring Security integrate with Spring Web MVC? I'm not aware of that. Or do you mean integrate with Spring?
Sagar Kale
Ranch Hand

Joined: May 02, 2008
Posts: 188
Kengkaj Sathianpantarit wrote:
My question is not how to use Spring Security in Spring Web Flow, but if Spring Web Flow has role-based authorization feature.

How Spring Security integrate with Spring Web MVC? I'm not aware of that. Or do you mean integrate with Spring?


Please find tutorial here. Spring Security tutorial. If you google, you will get more tutorials.

You have to configure it in web.xml like following

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>



security.xml

<security:http auto-config="true">
<security:form-login login-page="/login.jsp"
default-target-url="/home.htm"
authentication-failure-url="/login.jsp?error=true" />

<security:logout logout-success-url="/login.jsp" />
<security:intercept-url pattern="/home.htm*" access="ROLE_USER" />
<security:intercept-url pattern="/empList.htm*"
access="ROLE_USER" />
<security:intercept-url pattern="/addEmp.htm*"
access="ROLE_ADMIN" />
</security:http>
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="secret"
authorities="ROLE_ADMIN,ROLE_USER" />
<security:user name="user1" password="1111"
authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>


I copied some configuration. You will have to read tutorials before you understand what these configuration means. Notice ROLE_ADMIN and ROLE_USER that what you were talking about right?


I have question to Markus, does the book covers examples of configuring Spring Security with Spring Web Flow?





Markus Staeuble
Author
Greenhorn

Joined: Apr 12, 2009
Posts: 16
The book covers the topic security, especially the integration with spring security (chapter 7):
Additionally you can check the reference documentation: http://static.springframework.org/spring-webflow/docs/2.0.x/reference/htmlsingle/spring-webflow-reference.html#flow-security


Author of the book Spring Web Flow 2 Web Development. Available at http://www.packtpub.com/develop-powerful-web-applications-with-spring-web-flow-2/book
Sagar Kale
Ranch Hand

Joined: May 02, 2008
Posts: 188
Thanks Markus
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Sagar Kale wrote:
Kengkaj Sathianpantarit wrote:
My question is not how to use Spring Security in Spring Web Flow, but if Spring Web Flow has role-based authorization feature.

How Spring Security integrate with Spring Web MVC? I'm not aware of that. Or do you mean integrate with Spring?


Please find tutorial here. Spring Security tutorial. If you google, you will get more tutorials.

You have to configure it in web.xml like following

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>



security.xml

<security:http auto-config="true">
<security:form-login login-page="/login.jsp"
default-target-url="/home.htm"
authentication-failure-url="/login.jsp?error=true" />

<security:logout logout-success-url="/login.jsp" />
<security:intercept-url pattern="/home.htm*" access="ROLE_USER" />
<security:intercept-url pattern="/empList.htm*"
access="ROLE_USER" />
<security:intercept-url pattern="/addEmp.htm*"
access="ROLE_ADMIN" />
</security:http>

Thanks for info, Sagar.
But you might misunderstand, from example it has nothing to do with Spring Web MVC. It can protect in url-pattern level and method invocation level which means that it can be used with any web MVC frameworks or can be used with plain old Servlets.

So I think that Spring Web Flow 2 has no role-based authorization feature. I know, we can use Spring Security, but my point is Spring Web Flow should have this feature (no need to use Spring Security to set flow authorizations).
Nathan Pruett
Bartender

Joined: Oct 18, 2000
Posts: 4121

Spring Web flow just handles the flow between pages/states in your application. You can use Spring Security to protect methods that are invoked from Spring Web Flow. Or you can implement role based security however you want and invoke it from an action state.


-Nate
Write once, run anywhere, because there's nowhere to hide! - /. A.C.
Padmapriya Ranganathan
Greenhorn

Joined: Mar 04, 2009
Posts: 25
disclaimer: I'm not a security expert !

As per my knowledge, the role based authentication and/or authorization lean towards application dependency. No generalized framework can provide complete feature for this.


Padmapriya
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Padmapriya Ranganathan wrote:No generalized framework can provide complete feature for this.

No, it can . Why not?
Venkat Sidh
Ranch Hand

Joined: Sep 30, 2006
Posts: 61
If I am correct, I think you can plug-in JAAS.
Mourouganandame Arunachalam
Ranch Hand

Joined: Oct 29, 2008
Posts: 396
Kengkaj Sathianpantarit wrote:
Padmapriya Ranganathan wrote:No generalized framework can provide complete feature for this.

No, it can . Why not?


I think it is not possible to achieve this without using other plug-ins.... Spring cannot have sophisticated feature for role based authorization, coz its again specific application related.


Mourougan
Open Source leads to Open Mind
Padmapriya Ranganathan
Greenhorn

Joined: Mar 04, 2009
Posts: 25
Kengkaj Sathianpantarit wrote:
Padmapriya Ranganathan wrote:No generalized framework can provide complete feature for this.

No, it can . Why not?



Really !!? Can you please provide an example for this? (after all learning is part of our life ! ) I think none of the framework provides full featured role based security without using other plugins like JAAS.
Hong Anderson
Ranch Hand

Joined: Jul 05, 2005
Posts: 1936
Padmapriya Ranganathan wrote:
Kengkaj Sathianpantarit wrote:
Padmapriya Ranganathan wrote:No generalized framework can provide complete feature for this.

No, it can . Why not?



Really !!? Can you please provide an example for this? (after all learning is part of our life ! ) I think none of the framework provides full featured role based security without using other plugins like JAAS.

Hmm, why you do you think a generalize framework *cannot* provide role-based authorization? It's just coding after all, if we want to support we just write codes for it.

The examples are EJB container (support role-based security in method invocation level), Servlet container (support role-based security in URL-pattern level).

And it's not about plug-in it's about the infrastructure of framework itself supports the feature or not.
Learning is good, but way of thinking is more important .
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Does Spring Web Flow 2 have role based authorization to execute flow feature?
 
Similar Threads
how to come enter web flow at a specific point
Disadvantage of Model 1 architecture
Regarding mail server and workflow engine
J2EE Security..
Do we need DAO to access webservice from SLSB?