Unsecure a Spring flow using Spring Security

2018-06-13 17:45:52

I am working on an application which uses Spring Webflow and Spring Security. I am new to both and in a learning phase. My question is about how do I unsecure a specific spring flow. I have the below main-flow.xml whose contents are -

<flow xmlns ...  >
<subflow-state id="demoSubflowId" subflow="demo/subflow">
    <transition to="search" />
</subflow-state>

... //There are other subflows configured here

The subflow.xml is present inside another directory named "demo".

In the Spring security-config.xml , I have this configuration which I assume secures all webflows -

<http access-decision-manager-ref="customAccessDecisionManager">
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <form-login always-use-default-target="true" default-target-url="/spring/main" login-page="/secureLogin"
        authentication-failure-url="/secureLogin" />
    <logout  success-handler-ref="logoutSuccessHandler" />
    <custom-filter position="LAST" ref="requestInspectionFilter" />
</http>

Currently authentication is needed for all the flows in the application. But now I am given a task to create a new subflow for a task which doesn't require authentication. This is the reason for which I have created the new subflow above with id=demoSubflowId, but each time I try hitting this flow from the xhtml code below, it redirects me to the the login page.

<a href="#" onclick="document.myForm.submit();" class="btn">Xhtml Unsecured demo</a>

<form name="myForm" action="${pageContext.request.contextPath}/spring/main?moduleId=mySubflowId" method="post"> </form>

Can anyone help me out with how do I unsecure a specific Spring web flow/subflow? I googled and found how to exclude URLs from spring-security. In my current app too we have servlet URLs which are not secured(as provided below) and configured in security-config.xml, but I don't know how to do this for Spring webflow URLs.

<http pattern="/secureLogin*" security="none" />
<http pattern="/resetPassword" security="none" />

Any help/advise for unsecuring a spring webflow will be appreciated. Thanks in advance.

assuming you access your flow using /main which seems to be the case in your configuration, you should be able to "unsecure it" using this:

<http pattern="/main" security="none" />

[EDIT]

It's not perfect, but in your main flow, you can secure the other subflows manually using <secured> :

<secured attributes="ROLE_USER" />

链接地址: http://www.djcxy.com/p/39168.html

上一篇: Spring Web Flow转换没有被触发

下一篇: 使用Spring Security解除Spring流的安全性