Securing Spring Faces (Webflow 2 + Spring Security 3) application.

The post is for people who are using Spring Faces and need basic security aspects.

Update your spring faces dependency in the pom.xml if your project is a maven one :
There is a bug in the 2.3.0 Release between the flow executor and phase listener. This is important because our login page is a facelet which is not in a flow.


Add context security file to the configuration with this content :

<security:http auto-config="true">
		<security:intercept-url pattern="/views/**" access="ROLE_USER"/>
			login-page="/" authentication-failure-url="/"
			default-target-url="/flowprocess/shopping" />
	<security:user-service id="userService">
    		<security:user name="guest" password="guest" authorities="ROLE_USER"/>
		<security:authentication-provider user-service-ref="userService"/>

Configuring security into webflow in 2 steps:

1 – Adding secure flow context listener into the configuration file as shown below :

<beans:bean id="securityFlowExecutionListener" class="" />

<beans:bean id="facesContextListener" class="org.springframework.faces.webflow.FlowFacesContextLifecycleListener"/>

<flow-executor id="flowExecutor">
		<listener ref="facesContextListener"/>
		<listener ref="securityFlowExecutionListener"/>

2 – Configure the flow to check access and authorizations before runing by adding the secure tag into the flow.xml file:

<flow start-state="identifyCustomer" xmlns=""

<secured attributes="ROLE_USER"/>


Very Important Notice : If we’re using subflows in our architecture, Spring does not propagate the secured configuration to child. Secure tag must be explicitely mentionned in all our subflows. I hope this will be a fix in further releases.

Create a Spring security form-login as index page into the project.

<h:form prependId="false" >
	<table class="form">
		<td><h:outputLabel value="Identifiant: " for="j_username" /></td>
		<td><h:inputText id="j_username" required="true" value="#{authenticationBean.username}" styleClass="textInput" /></td>
		<td><h:outputLabel value="Mot de passe " for="j_password" /></td>
		<td><h:inputSecret id="j_password" required="true" value="#{authenticationBean.password}" styleClass="textInput" /></td>
	<div class="buttonContainer">
		<h:commandLink styleClass="styledButton" action="#{authenticationBean.onLogin}" value="Connect"  />

Now the flow is secure and to execute it, user should give corrects credentials. In the next article i’ll integrate OpenID authentication.

In my project i have shopping-flow wich use customer-flow as subflow. To check the point in notice above, try to call directly the shopping/customer here unsecured access to the subflow and secured access, redirection to the login

The complete project source code is available here github