Spring Webflow: Securing An Individual Binding

Question

So, I am implementing a <binder> in my various flow definitions in order to secure what gets bound to the model from each page in the flow. So, a <binder> section might look like this:

<binder>
    <binding property="name" />
    <binding property="departmentId" />
    <binding property="phoneNumber" />
    <binding property="qualificationOverride" />
</binder>

My problem is that I don't want the "qualificationOverride" to bind to the model unless the user has a specified role (ROLE_MANAGER).

Anyone have any ideas?

Jason

Answer 1

What you could do is not bind it, and on submit get the value from requestParameters, then go to a decision state where you can use secured to check permission and set the value.

something like this (I haven't tested it):

<view-state id="view" model="model">
    <binder>
        <binding property="name" />
        <binding property="departmentId" />
        <binding property="phoneNumber" />
        <!--<binding property="qualificationOverride" />-->
    </binder>
    <transition on="submit" to="bindIfManager">
        <set name="flowScope.qualificationOverride" value="requestParameters.qualificationOverride/>
    </transition>
</view-state>

<action-state id="bindIfManager">
    <!-- you will have to implement this, basically user.getAuthorities.contains(new SimpleGrantedAuthority(role))-->
    <evaluate expression="securityAction.isUserInRole(currentUser, 'ROLE_MANAGER')"/>
    <transition on="yes" to="finish">
        <set name="model.qualificationOverride" value="flowScope.qualificationOverride"/>
    </transition>
    <transition on="no" to="finish"/>
</action-state>