The post is for people who are using Spring Faces and need basic security aspects.
Update your spring faces dependency in the pom.xml if your project is a maven one :
There is a bug in the 2.3.0 Release between the flow executor and phase listener. This is important because our login page is a facelet which is not in a flow.
<dependency> <groupId>org.springframework.webflow</groupId> <artifactId>spring-faces</artifactId> <version>2.3.1.BUILD-SNAPSHOT</version> </dependency>
Add context security file to the configuration with this content :
<security:http auto-config="true">
<security:intercept-url pattern="/views/**" access="ROLE_USER"/>
<security:form-login
login-processing-url="/j_spring_security_check"
login-page="/" authentication-failure-url="/"
default-target-url="/flowprocess/shopping" />
<security:logout/>
</security:http>
<security:user-service id="userService">
<security:user name="guest" password="guest" authorities="ROLE_USER"/>
</security:user-service>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService"/>
</security:authentication-manager>
Configuring security into webflow in 2 steps:
1 – Adding secure flow context listener into the configuration file as shown below :
<beans:bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener" /> <beans:bean id="facesContextListener" class="org.springframework.faces.webflow.FlowFacesContextLifecycleListener"/> <flow-executor id="flowExecutor"> <flow-execution-listeners> <listener ref="facesContextListener"/> <listener ref="securityFlowExecutionListener"/> </flow-execution-listeners> </flow-executor>
2 – Configure the flow to check access and authorizations before runing by adding the secure tag into the flow.xml file:
<flow start-state="identifyCustomer" xmlns="http://www.springframework.org/schema/webflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd"> <secured attributes="ROLE_USER"/> … </flow>
Very Important Notice : If we’re using subflows in our architecture, Spring does not propagate the secured configuration to child. Secure tag must be explicitely mentionned in all our subflows. I hope this will be a fix in further releases.
Create a Spring security form-login as index page into the project.
<h:form prependId="false" >
<table class="form">
<tr>
<td><h:outputLabel value="Identifiant: " for="j_username" /></td>
<td><h:inputText id="j_username" required="true" value="#{authenticationBean.username}" styleClass="textInput" /></td>
</tr>
<tr>
<td><h:outputLabel value="Mot de passe " for="j_password" /></td>
<td><h:inputSecret id="j_password" required="true" value="#{authenticationBean.password}" styleClass="textInput" /></td>
</tr>
</table>
<div class="buttonContainer">
<h:commandLink styleClass="styledButton" action="#{authenticationBean.onLogin}" value="Connect" />
</div>
</h:form>
Now the flow is secure and to execute it, user should give corrects credentials. In the next article i’ll integrate OpenID authentication.
In my project i have shopping-flow wich use customer-flow as subflow. To check the point in notice above, try to call directly the shopping/customer here unsecured access to the subflow and secured access, redirection to the login
The complete project source code is available here github
NGJWEBLOG 
[…] Add spring security configuration to protect Jsf web flows. Security Read the original post on DZone… […]
Hi there,
Nice blog! Is there an email address I can contact you in private?