package com.thoean.test; import java.util.ArrayList; import java.util.Collection; import java.util.Iterator; import java.util.List; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.AccessDecisionVoter; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.core.Authentication; import org.springframework.security.access.SecurityConfig; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.access.vote.AbstractAccessDecisionManager; import org.springframework.security.access.vote.AffirmativeBased; import org.springframework.security.access.vote.RoleVoter; import org.springframework.security.access.vote.UnanimousBased; import org.springframework.webflow.definition.FlowDefinition; import org.springframework.webflow.definition.StateDefinition; import org.springframework.webflow.definition.TransitionDefinition; import org.springframework.webflow.execution.EnterStateVetoException; import org.springframework.webflow.execution.FlowExecutionListenerAdapter; import org.springframework.webflow.execution.RequestContext; import org.springframework.webflow.security.SecurityRule; public class CustomSecurityFlowExecutionListener extends FlowExecutionListenerAdapter { private AccessDecisionManager accessDecisionManager; public AccessDecisionManager getAccessDecisionManager() { return this.accessDecisionManager; } public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) { this.accessDecisionManager = accessDecisionManager; } @Override public void sessionCreating(RequestContext context, FlowDefinition definition) { SecurityRule rule = (SecurityRule) definition.getAttributes().get(SecurityRule.SECURITY_ATTRIBUTE_NAME); if (rule != null) { decide(rule, definition); } } @Override public void stateEntering(RequestContext context, StateDefinition state) throws EnterStateVetoException { SecurityRule rule = (SecurityRule) state.getAttributes().get(SecurityRule.SECURITY_ATTRIBUTE_NAME); if (rule != null) { decide(rule, state); } } @Override public void transitionExecuting(RequestContext context, TransitionDefinition transition) { SecurityRule rule = (SecurityRule) transition.getAttributes().get(SecurityRule.SECURITY_ATTRIBUTE_NAME); if (rule != null) { decide(rule, transition); } } protected void decide(SecurityRule rule, Object object) { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); Collection config = getConfigAttributes(rule); if (this.accessDecisionManager != null) { this.accessDecisionManager.decide(authentication, object, config); } else { AbstractAccessDecisionManager abstractAccessDecisionManager; List voters = new ArrayList(); voters.add(new RoleVoter()); if (rule.getComparisonType() == SecurityRule.COMPARISON_ANY) { abstractAccessDecisionManager = new AffirmativeBased(); } else if (rule.getComparisonType() == SecurityRule.COMPARISON_ALL) { abstractAccessDecisionManager = new UnanimousBased(); } else { throw new IllegalStateException("Unknown SecurityRule match type: " + rule.getComparisonType()); } abstractAccessDecisionManager.setDecisionVoters(voters); abstractAccessDecisionManager.decide(authentication, object, config); } } protected List getConfigAttributes(SecurityRule rule) { List configAttributes = new ArrayList(); Iterator attributeIt = rule.getAttributes().iterator(); while (attributeIt.hasNext()) { configAttributes.add(new SecurityConfig((String) attributeIt.next())); } return configAttributes; } }