The secured element designates that its containing element should apply the authorization check before fully entering. This may not occur more then once per stage of the flow execution that is secured.
Three phases of flow execution can be secured: flows, states and transitions. In each case the syntax for the secured element is identical. The secured element is located inside the element it is securing. For example, to secure a state the secured element occurs directly inside that state:
<view-state id="secured-view"> <secured attributes="ROLE_USER" /> ... </view-state>
The attributes attribute is a comma separated list of Spring Security authorization attributes.
Often, these are specific security roles.
The attributes are compared against the user's granted attributes by a Spring Security access decision manager.
<secured attributes="ROLE_USER" />
By default, a role based access decision manager is used to determine if the user is allowed access. This will need to be overridden if your application is not using authorization roles.
There are two types of matching available: any and all.
Any, allows access if at least one of the required security attributes is granted to the user.
All, allows access only if each of the required security attributes are granted to the user.
<secured attributes="ROLE_USER, ROLE_ANONYMOUS" match="any" />
This attribute is optional.
If not defined, the default value is any.
The match attribute will only be respected if the default access decision manager is used.