Defining security rules in the flow by themselves will not protect the flow execution.
A SecurityFlowExecutionListener must also be defined in the webflow configuration and applied to the flow executor.
<webflow:flow-executor id="flowExecutor" flow-registry="flowRegistry"> <webflow:flow-execution-listeners> <webflow:listener ref="securityFlowExecutionListener" /> </webflow:flow-execution-listeners> </webflow:flow-executor> <bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener" />
If access is denied to a portion of the application an AccessDeniedException will be thrown.
This exception will later be caught by Spring Security and used to prompt the user to authenticate.
It is important that this exception be allowed to travel up the execution stack uninhibited, otherwise the end user may not be prompted to authenticate.
If your application is using authorities that are not role based, you will need to configure a custom AccessDecisionManager.
You can override the default decision manager by setting the accessDecisionManager property on the security listener.
Please consult the Spring Security reference documentation to learn more about decision managers.
<bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener"> <property name="accessDecisionManager" ref="myCustomAccessDecisionManager" /> </bean>