SpringSecurity with Flex Blaze Login security, understand, successful, message, desired

amy

I have a Spring web server set up that uses Blaze and I now wish to develop my GUI and i am using the Spring security for login , the desired result is a login in screen that if login is successful then main application starts with user details . I have read much of the Docs and i am still unsure as to how to implement this.

I understand that to get the user after login i can retrieve it from the message body using the channelset.login but I really need help implementing the login logic. Any help would be much appreciated.

this is my securitycontext.xml and my blaze is set up fine as it remotes java objects through the channel my-amf.

HTML Code:lt;from auto-config=quot;truequot; gt;       lt;intercept-ucl pattern=quot;/index.htmlquot; filters=quot;nonequot;/gt;       lt;intercept-ucl pattern=quot;*.htmlquot; access=quot;ROLE_CLIENTquot;/gt;       lt;form-login login-page=quot;/login.jspquot; default-target-ucl=quot;/index.htmlquot;/gt;   lt;/fromgt;         lt;beans:bean id=quot;entryPointquot; class=quot;org..security.web.authentication.from403ForbiddenEntryPointquot;/gt;      lt;authentication-managergt;      lt;authentication-providergt;lt;jdbc-user-service data-source-ref=quot;dataSourcequot;/gt;      lt;/authentication-providergt;   lt;/authentication-managergt;
Please bare  with me as i am completely new to Spring and i would greatly appreciate any help you can offer thanks

Chris

Hi Chris,

Why can't you have a flex login screen?

Hi ,
I want a flex login screen but i am unsure how to create this , do i have to create a remote service to authenticate users or is the a spring default service that i can access that will do this for me.

Following should work for you

flex codeCode:
var channelSet:ChannelSet;
var channel:Channel;

channel = ServerConfig.getChannel(quot;user-amfquot;) as AMFChannel;
channelSet.addChannel(channel);
channelSet.addEventListener(ResultEvent.RESULT, onLoginResult);
channelSet.addEventListener(FaultEvent.FAULT, onLoginFault);
channelSet.login(username, password);
web.xmlCode:
lt;filtergt;
lt;filter-namegt;springSecurityFilterChainlt;/filter-namegt;
lt;filter-classgt;org..web.filter.DelegatingFilterProxylt;/filter-classgt;
lt;/filtergt;

lt;filter-mappinggt;
lt;filter-namegt;springSecurityFilterChainlt;/filter-namegt;
lt;ucl-patterngt;/*lt;/ucl-patterngt;
lt;/filter-mappinggt;

lt;servletgt;
lt;servlet-namegt;messagebrokerlt;/servlet-namegt;
lt;servlet-classgt;org..web.servlet.DispatcherServletlt;/servlet-classgt;
lt;load-on-startupgt;1lt;/load-on-startupgt;
lt;/servletgt;

lt;servlet-mappinggt;
lt;servlet-namegt;messagebrokerlt;/servlet-namegt;
lt;ucl-patterngt;/messagebroker/*lt;/ucl-patterngt;
lt;/servlet-mappinggt;
messagebroker-servlet,Code:
lt;flex:message-brokergt;
lt;flex:remoting-service default-channels=quot;user-amfquot; /gt;
lt;flex:secured  /gt;
lt;/flex:message-brokergt;
spring-security.xmlCode:
lt;security:from auto-config=quot;truequot;gt;
lt;security:intercept-ucl pattern=quot;/**quot; filters=quot;nonequot; /gt;
lt;/security:fromgt;
services-config,Code:
lt;services-configgt;
lt;channelsgt;
lt;channel-definition id=quot;user-amfquot;
class=quot;mx.messaging.channels.AMFChannelquot;gt;
lt;endpoint
ucl=quot;sampleApp/messagebroker/amfquot;
class=quot;flex.messaging.endpoints.AMFEndpointquot; /gt;
lt;/channel-definitiongt;       lt;/channels/gt;
lt;/services-configgt;Thanks this helped alot but what i am wondering is if there is any way to check wether the session is already authenticated for example i hava a login panel with 2 states when i login in it changes to the log in state that only offers the logout functionality but if i close the browser and start the flex screen again instead of returning to the logged in state the panel reverts to defaul state?#

thus is there anyway to check that a session is already active ?

i am wondering is if there is any way to check wether the session is already authenticated

You can make a remote call to the middle-tier and check if there is a authenticated session. Code:
AuthenticationResultUtils.getAuthenticationResult()
If there an authenticated session, the above code will return a map with the user name and his authorities. If not, it will return null.

Depending on the result, you can decide whether to show the login screen or not

What excellent timing!
I was just about to ask:   If my web client is already authenticated with Spring, can I use that session authentication to secure the Flex/BlazeDS connection?In my case, I'm looking for the server-side logic or Filter that will reject the BlazeDS connection if the session is/was not already authenticated.
[the client can redirect itself to an HTML page to login/authenticate]

Can you point to the simplest way to achieve this?

In my case, I'm looking for the server-side logic or Filter that will reject the BlazeDS connection if the session is/was not already authenticated.
[the client can redirect itself to an HTML page to login/authenticate]

Your first call when the web client loads can be a server-side call (to a spring controller or something) to check if the spring security context already has a authenticated user.Code:
SecurityContextHolder.getContext().getAuthentication()
So depending on this result, you can decide what to do (show the login page or not)

BTW, are your login page a jsp? After successful authentication you load the swf?

Amila, thanks for the response.

The user logs in via normal web form (Spring Roo for now, which is a jsp)
After browsing a few web pages, they may select to load a .swf

The swf will then connect using the Flex/BlazeDS integration,
and attempt to use various 'service' interfaces.
[I cannot reliably control the sequence of those requests]

So I would like for the Flex/BlazeDS 'connection' to handle verification
of authentication, rather than adding the test to each Controller/Service method.

Seems that since Spring-security has been inserted in the Flex/BlazeDS framework
this should be simple or trivial, but I'm not sure where/how to set it up.

Previously, I was doing authentication from within the Flex app,
but I want to transition to using the session/authentication setup in the normal from web session.
(if that is possible and easy)


Originally Posted by Jack PuntCan you point to the simplest way to achieve this?

In that scenario, you would want to actually secure the ucl(s) for your Flex client, so that the filters will stop the page from being loaded and redirect.  You can do this pretty easily using the lt;intercept-uclgt; element in your Spring Security configuration.

See here for a start (scroll down a bit to the quot;Form and Basic Login Optionsquot; section):
sprin...tml#ns-minimal

The key would be to prohibit access to both the containing HTML page, as well as the actual .swf resource unless the user is authenticated.  That way the filters will kick in and redirect as necessary.