Spring Webflow Client Repository

Flow execution storage on client via form/request parameter.

License

License

Categories

Categories

CLI User Interface
GroupId

GroupId

org.apereo
ArtifactId

ArtifactId

spring-webflow-client-repo
Last Version

Last Version

1.0.3
Release Date

Release Date

Type

Type

jar
Description

Description

Spring Webflow Client Repository
Flow execution storage on client via form/request parameter.
Project URL

Project URL

https://github.com/Apereo/spring-webflow-client-repo
Project Organization

Project Organization

Apereo
Source Code Management

Source Code Management

https://github.com/Apereo/spring-webflow-client-repo

Download spring-webflow-client-repo

How to add to project

<!-- https://jarcasting.com/artifacts/org.apereo/spring-webflow-client-repo/ -->
<dependency>
    <groupId>org.apereo</groupId>
    <artifactId>spring-webflow-client-repo</artifactId>
    <version>1.0.3</version>
</dependency>
// https://jarcasting.com/artifacts/org.apereo/spring-webflow-client-repo/
implementation 'org.apereo:spring-webflow-client-repo:1.0.3'
// https://jarcasting.com/artifacts/org.apereo/spring-webflow-client-repo/
implementation ("org.apereo:spring-webflow-client-repo:1.0.3")
'org.apereo:spring-webflow-client-repo:jar:1.0.3'
<dependency org="org.apereo" name="spring-webflow-client-repo" rev="1.0.3">
  <artifact name="spring-webflow-client-repo" type="jar" />
</dependency>
@Grapes(
@Grab(group='org.apereo', module='spring-webflow-client-repo', version='1.0.3')
)
libraryDependencies += "org.apereo" % "spring-webflow-client-repo" % "1.0.3"
[org.apereo/spring-webflow-client-repo "1.0.3"]

Dependencies

compile (7)

Group / Artifact Type Version
org.slf4j : slf4j-api jar 1.7.7
org.slf4j : jcl-over-slf4j jar 1.7.7
log4j : log4j jar 1.2.17
org.springframework.webflow : spring-webflow jar 2.4.1.RELEASE
commons-codec : commons-codec jar 1.9
org.cryptacular : cryptacular jar 1.0
org.springframework : spring-core jar 4.1.1.RELEASE

runtime (1)

Group / Artifact Type Version
org.slf4j : slf4j-log4j12 jar 1.7.7

test (3)

Group / Artifact Type Version
junit : junit jar 4.11
org.springframework : spring-test jar 4.1.1.RELEASE
org.springframework : spring-webmvc jar 4.1.1.RELEASE

Project Modules

There are no modules declared in this project.

Spring Webflow Client Repository Maven Central Mergify Status

This project provides a facility for storing flow execution state on the client in Spring Webflow 2.x. Flow state is stored as an encoded byte stream in the flow execution identifier provided to the client when rendering a view. It effectively provides a replacement for ClientContinuationFlowExecutionRepository that was available for Spring Webflow 1.x, but with the following notable improvements:

  • Support for conversation management (e.g. flow scope)
  • Encryption of encoded flow state to prevent tampering by malicious clients

Building Build Status

mvn clean install

Integration

Add spring-webflow-client-repo to your application:

<dependency>
    <groupId>org.apereo</groupId>
    <artifactId>spring-webflow-client-repo</artifactId>
    <version>1.0.3</version>
</dependency>

Usage

ClientFlowExecutionRepository is the core component for proving for client side flow state storage. The following configuration snippet demonstrates how to wire up the component in a Webflow project:

<bean name="flowExecutor" class="org.springframework.webflow.executor.FlowExecutorImpl">
  <constructor-arg ref="flowRegistry" />
  <constructor-arg ref="flowExecutionFactory" />
  <constructor-arg ref="flowExecutionRepository" />
</bean>

<webflow:flow-registry id="flowRegistry">
  <webflow:flow-location path="test-flow.xml" id="test"/>
</webflow:flow-registry>

<bean name="flowExecutionFactory" class="org.springframework.webflow.engine.impl.FlowExecutionImplFactory"
      p:executionKeyFactory-ref="flowExecutionRepository"
      p:executionListenerLoader-ref="listenerLoader"/>

<bean id="flowExecutionRepository" class="org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository">
  <constructor-arg ref="flowExecutionFactory" />
  <constructor-arg ref="flowRegistry" />
  <constructor-arg ref="transcoder" />
</bean>

<bean id="listenerLoader" class="org.springframework.webflow.execution.factory.StaticFlowExecutionListenerLoader">
  <constructor-arg>
    <list>
      <!--
      <ref bean="firstExecutionListener" />
      <ref bean="secondExecutionListener" />
      <ref bean="thirdExecutionListener" />
      -->
    </list>
  </constructor-arg>
</bean>

<bean id="transcoder" class="org.apereo.spring.webflow.plugin.EncryptedTranscoder"
      p:compression="true" />

Requirements

Since the flow state is maintained in the flow execution identifier, the execution parameter MUST be stored in the response rendered to the client as either a request parameter or hidden form parameter. When rendering a form for user input, a hidden parameter is convenient:

<form:form modelAttribute="command" action="action.html">
  <input type="hidden" name="execution" value="${flowExecutionKey}" />

  <fieldset>
    ... 
    <div class="button">
      <input type="submit" id="save" name="_eventId_save" value="save"/>
      <input type="submit" name="_eventId_cancel" value="cancel"/>
    </div>
  </fieldset>
</form:form>

Security

Since the server is providing data to the client for which the server is the authority, the state MUST be validated when it is returned to the server after a round trip. There are two obvious strategies:

  1. Symmetric encryption using a key known exclusively to the server.
  2. Attaching a digital signature to the state that is verfied on post.

This project provides an implementation using symmetric encryption since it is simpler to implement and has the desirable property of hiding state details from the client. The Transcoder component provides a straightforward extension point to implement other encoding mechanisms.

org.apereo

Apereo Foundation

Versions

Version
1.0.3