States, transitions, and entire flows can be secured in Spring Web Flow by using the <secured> element as a child of those elements. For example, to secure access to a view state, you might use <secured> like this:
1 <view-state id="restricted"> 2 <secured attributes="ROLE_ADMIN" match="all"/> 3 </view-state>
As configured here, access to the view state will be restricted to only users who are granted ROLE_ADMIN access (per the attributes attribute). The attributes attribute takes a comma-separated list of authorities that the user must have to gain access to the state, transition, or flow. The match attribute can be set to either any or all . If it’s set to any , then the user must be granted at least one of the authorities listed in attributes . If it’s set to all , then the user must have been granted all the authorities.You may be wondering how a user is granted the authorities checked for by the <secured> element.