Uploaded image for project: 'Spring Web Flow'
  1. Spring Web Flow
  2. SWF-1508

SecurityFlowExecutionListener not compatible with SpEL expressions in Spring Security 3




      When SecurityFlowExecutionListener is supplied with an AccessDecisionManager, the authorization decision is left over to the AccessDecisionManager.
      However, when using Spring Security with SpEL (<security:http use-expressions="true">) a WebExpressionVoter is registered with the AccessDecisionManager.
      At the moment, this AccessDecisionVoter is generified and explicitly wants a FilterInvocation as parameter.
      The interface of AccessDecisionManager is not adjusted, and still takes Object as parameter (which is a bit strange).

      public class WebExpressionVoter implements AccessDecisionVoter<FilterInvocation> {
      private SecurityExpressionHandler<FilterInvocation> expressionHandler = new DefaultWebSecurityExpressionHandler();

      public int vote(Authentication authentication, FilterInvocation fi, Collection<ConfigAttribute> attributes) {

      What happens is that the SecurityFlowExecutionListener passes along a TransitionDefinition, FlowDefinition or StateDefinition to the AccessDecisionManager.
      Which is legal, since its contract is Object.
      In combination with the WebExpressionVoter this will result in a ClassCastException, as a FilterInvocation is expected.
      With the RoleVoter there is no problem, as the type there is <Object>. The role voter also doesn't seem to do anything with the object by default.

      Also, wiring in the AccessDecisionManager is a bit of a pain, since it is created by the Spring Security NS configiration and has no 'normal' bean id.
      Maybe this could be solved by implemeting a PostProcessor or ApplicationContextAware.
      (or it could be solved at Spring Security level making the AccessDecisionManager available under a normal bean name)

      The easiest workaround I found at the moment is not to define the AccessDecisionManager, so that the "else" is used an a RoleVoter is created by the SecurityFlowExecutionListener.
      This means that it is not possible to use SpEL in flow security.
      At that point it is not possible to use 'fullyAuthenticated' or other advantages the SpEL way offers.

      The other workaround is a custom SecurityFlowExecutionListener.
      I made a first effort to write something, that appears to be working, see attachment.


        Issue Links



              rstoya05-aop Rossen Stoyanchev
              koen.serneels Koen Serneels
              3 Vote for this issue
              6 Start watching this issue