secured transitions not working [SWF-1560]

[spring-operator]

David J. M. Karlsen opened SWF-1560 and commented

I have a transition that is secured:

<transition on="saveSetup" bind="true">
			<secured attributes="hasPermission( 'null', 'SOME_PERMISSION' )" />

and the following configuration of webflow w/ spring security:

<bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener">
     <property name="accessDecisionManager">
          <bean class="org.springframework.security.access.vote.AffirmativeBased">
               <constructor-arg>
                        <bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
                                 <property name="expressionHandler" ref="webSecurityExpressionHandler" />
                        </bean>
               </constructor-arg>
          </bean>
     </property>
</bean>

The webSecurityExpressionHandler is using a custom implementation of a permissionevaluator.

This leads to the following classcast exception:

Caused by: java.lang.ClassCastException: org.springframework.webflow.engine.Transition incompatible with org.springframework.security.web.FilterInvocation
	at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:18) ~[spring-security-web-3.1.1.RELEASE.jar:3.1.1.RELEASE]
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62) ~[spring-security-core-3.1.1.RELEASE.jar:3.1.1.RELEASE]
	at org.springframework.webflow.security.SecurityFlowExecutionListener.decide(SecurityFlowExecutionListener.java:95) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.security.SecurityFlowExecutionListener.transitionExecuting(SecurityFlowExecutionListener.java:80) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.impl.FlowExecutionListeners.fireTransitionExecuting(FlowExecutionListeners.java:180) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:392) [spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:119) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:555) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:388) [spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.ViewState.handleEvent(ViewState.java:232) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.ViewState.resume(ViewState.java:196) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.Flow.resume(Flow.java:545) ~[spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:258) [spring-webflow-2.3.1.RELEASE.jar:2.3.1.RELEASE]
	... 76 common frames omitted

---

Affects: 2.3.1

Issue Links:

• #692 SecurityFlowExecutionListener not compatible with SpEL expressions in Spring Security 3

1 votes, 4 watchers

[spring-operator]

Rossen Stoyanchev commented

If you have any chance to put together an issue project that would be very helpful.

[spring-operator]

Mathieu Rampant commented

see #692 which is pretty much the same issue

[spring-operator]

Mathieu Rampant commented

see this post in the forum