Bookmark and Share

How to: Spring Webflow 2 and Spring Security 3

There have been recent discussions in the Spring Framework group to make Spring Security 3 working with Spring Webflow 2. Enabling it is quite easy when working with Maven, however due to refactoring not all Spring Webflow classes are working (or actually resulting in a ClassNotFoundException).

Add dependency of Spring Webflow and Spring Security with Maven

Setup the following maven repositories:

<repository>
    <id>com.springsource.repository.bundles.release</id>
    <name>SpringSource Enterprise Bundle Repository - SpringSource Releases</name>
    <url>http://repository.springsource.com/maven/bundles/release</url>
</repository>
<repository>
    <id>com.springsource.repository.bundles.external</id>
    <name>SpringSource Enterprise Bundle Repository - External Releases</name>
    <url>http://repository.springsource.com/maven/bundles/external</url>
</repository>

And the following dependencies (in addition to the spring framework dependencies or whatever you require):

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>org.springframework.web</artifactId>
    <version>3.0.0.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>org.springframework.web.servlet</artifactId>
    <version>3.0.0.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.webflow</groupId>
    <artifactId>org.springframework.faces</artifactId>
    <version>2.0.8.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>org.springframework.security.core</artifactId>
    <version>3.0.0.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>3.0.0.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>3.0.0.RELEASE</version>
</dependency>

Setup Spring Security

Setup Spring Security as you would set it up usually. For example start with something like this:

<security:http auto-config="true">
    <security:form-login
        login-page="/login"
        login-processing-url="/loginProcess"
        default-target-url="/secureStartPage"
        authentication-failure-url="/login?login_error=1" />
    <security:logout logout-url="/logout" logout-success-url="/logoutSuccess" />
</security:http>

Webflow setup and custom class

Your webflow setup might be similar to the following:

<webflow:flow-executor id="flowExecutor">
    <webflow:flow-execution-listeners>
        <webflow:listener ref="securityFlowExecutionListener" />
    </webflow:flow-execution-listeners>
</webflow:flow-executor>

And exactly this securityFlowExecutionListener is the problem, as it will run into a runtime error due to classes that could not be found. So the solution for that is quite simple. First define the securityFlowExecutionListener as a reference to a custom bean:

<bean id="securityFlowExecutionListener" class="com.thoean.test.CustomSecurityFlowExecutionListener" />

The easiest is to copy the class org.springframework.webflow.security.SecurityFlowExecutionListener and adjust it accordingly so it compiles. My version can be downloaded here. Another version is available in the Spring Jira Issue.