spring-webflow icon indicating copy to clipboard operation
spring-webflow copied to clipboard
verified publisher icon spring-projects

Option to transition state on "secured" access denied [SWF-1661]

Open spring-operator opened this issue 10 years ago • 2 comments

Christopher Smith opened SWF-1661 and commented

The secured attribute is an all-or-nothing approach where a failure to match the specified roles throws an exception up the stack. I have a flow where users with ROLE_ADMIN should be able to bypass some states. Manually specifying the decision rule is very cumbersome because currentUser.authorities contains instances of GrantedAuthority, not strings, and secured doesn't provide an option to say "go to this other state if the authorization fails here".

It would be helpful for the secured element to support an attribute on-access-denied, which would point to a state to transition to if the authorization check fails.

Affects: 2.4.1

spring-operator avatar Apr 16 '15 23:04 spring-operator

Rossen Stoyanchev commented

I'm not sure I follow the request. You can secure flows, states, and transitions. You can also handle exceptions and you can define more advanced decision logic in Java code.

spring-operator avatar Jun 03 '15 11:06 spring-operator

Rossen Stoyanchev commented

Okay I think I understand better. What confused me is the fact that secured can appear in multiple places including flow level, state, and on transitions.

I have a couple of thoughts. One have you tried using an <exception-handler> element? Two have you considered wrapping the currentUser authorities checks in a helper bean that you can then access more conveniently via EL expressions?

spring-operator avatar Aug 06 '15 14:08 spring-operator