Skip to content

Spring 中文文档社区
Spring 中文文档社区

ljw@lq / Spring 中文文档社区
与 Fork 源项目一致

Fork自 开发云 / Spring 中文文档社区

通知 1
Star 1
Fork 0
Spring 中文文档社区
Spring 中文文档社区

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
flow-security.md 6.8 KB
Newer Older
茶陵後's avatar
more spring docs add  
茶陵後 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 
# 8. Securing Flows

## [](#flow-security-introduction)8.1. Introduction

Security is an important concept for any application.
End users should not be able to access any portion of a site simply by guessing the URL.
Areas of a site that are sensitive must ensure that only authorized requests are processed.
Spring Security is a proven security platform that can integrate with your application at multiple levels.
This section will focus on securing flow execution.

## [](#flow-security-how-to)8.2. How do I secure a flow?

Securing flow execution is a three step process:

* Configure Spring Security with authentication and authorization rules

* Annotate the flow definition with the secured element to define the security rules

* Add the SecurityFlowExecutionListener to process the security rules.

Each of these steps must be completed or else flow security rules will not be applied.

## [](#flow-security-secured-element)8.3. The secured element

The secured element designates that its containing element should apply the authorization check before fully entering.
This may not occur more then once per stage of the flow execution that is secured.

Three phases of flow execution can be secured: flows, states and transitions.
In each case the syntax for the secured element is identical.
The secured element is located inside the element it is securing.
For example, to secure a state the secured element occurs directly inside that state:

```
<view-state id="secured-view">
    <secured attributes="ROLE_USER" />
    ...
</view-state>
		
```

### [](#flow-security-secured-element-attributes)8.3.1. Security attributes

The `attributes` attribute is a comma separated list of Spring Security authorization attributes.
Often, these are specific security roles.
The attributes are compared against the user's granted attributes by a Spring Security access decision manager.

```
<secured attributes="ROLE_USER" />
			
```

By default, a role based access decision manager is used to determine if the user is allowed access.
This will need to be overridden if your application is not using authorization roles.

### [](#flow-security-secured-element-match)8.3.2. Matching type

There are two types of matching available: `any` and `all`.
Any, allows access if at least one of the required security attributes is granted to the user.
All, allows access only if each of the required security attributes are granted to the user.

```
<secured attributes="ROLE_USER, ROLE_ANONYMOUS" match="any" />
			
```

This attribute is optional.
If not defined, the default value is `any`.

The `match` attribute will only be respected if the default access decision manager is used.

## [](#flow-security-listener)8.4. The SecurityFlowExecutionListener

Defining security rules in the flow by themselves will not protect the flow execution.
A `SecurityFlowExecutionListener` must also be defined in the webflow configuration and applied to the flow executor.

```
<webflow:flow-executor id="flowExecutor" flow-registry="flowRegistry">
    <webflow:flow-execution-listeners>
        <webflow:listener ref="securityFlowExecutionListener" />
    </webflow:flow-execution-listeners>
</webflow:flow-executor>

<bean id="securityFlowExecutionListener"
      class="org.springframework.webflow.security.SecurityFlowExecutionListener" />
		
```

If access is denied to a portion of the application an `AccessDeniedException` will be thrown.
This exception will later be caught by Spring Security and used to prompt the user to authenticate.
It is important that this exception be allowed to travel up the execution stack uninhibited, otherwise the end user may not be prompted to authenticate.

### [](#flow-security-listener-adm)8.4.1. Custom Access Decision Managers

If your application is using authorities that are not role based, you will need to configure a custom `AccessDecisionManager`.
You can override the default decision manager by setting the `accessDecisionManager` property on the security listener.
Please consult the [Spring Security reference documentation](http://static.springframework.org/spring-security/site/reference.html) to learn more about decision managers.

```
<bean id="securityFlowExecutionListener"
      class="org.springframework.webflow.security.SecurityFlowExecutionListener">
    <property name="accessDecisionManager" ref="myCustomAccessDecisionManager" />
</bean>
			
```

## [](#flow-security-configuration)8.5. Configuring Spring Security

Spring Security has robust configuration options available.
As every application and environment has its own security requirements, the [Spring Security reference documentation](http://static.springframework.org/spring-security/site/reference.html) is the best place to learn the available options.

Both the `booking-faces` and `booking-mvc` sample applications are configured to use Spring Security.
Configuration is needed at both the Spring and web.xml levels.

### [](#flow-security-configuration-spring)8.5.1. Spring configuration

The Spring configuration defines `http` specifics (such as protected URLs and login/logout mechanics) and the `authentication-provider`.
For the sample applications, a local authentication provider is configured.

```
<security:http auto-config="true">
    <security:form-login login-page="/spring/login"
                         login-processing-url="/spring/loginProcess"
                         default-target-url="/spring/main"
                         authentication-failure-url="/spring/login?login_error=1" />
    <security:logout logout-url="/spring/logout" logout-success-url="/spring/logout-success" />
</security:http>

<security:authentication-provider>
    <security:password-encoder hash="md5" />
    <security:user-service>
        <security:user name="keith" password="417c7382b16c395bc25b5da1398cf076"
                       authorities="ROLE_USER,ROLE_SUPERVISOR" />
        <security:user name="erwin" password="12430911a8af075c6f41c6976af22b09"
                       authorities="ROLE_USER,ROLE_SUPERVISOR" />
        <security:user name="jeremy" password="57c6cbff0d421449be820763f03139eb"
                       authorities="ROLE_USER" />
        <security:user name="scott" password="942f2339bf50796de535a384f0d1af3e"
                       authorities="ROLE_USER" />
    </security:user-service>
</security:authentication-provider>
			
```

### [](#flow-security-configuration-web)8.5.2. web.xml Configuration

In the `web.xml` file, a `filter` is defined to intercept all requests.
This filter will listen for login/logout requests and process them accordingly.
It will also catch `AccesDeniedException`s and redirect the user to the login page.

```
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
			
```