SpringSecurity + Cannot find destination / method + Server.ResourceUnavailable

Hi,

I'm currently doing a proof of concept migrating an existing BlazeDS + spring app to spring-flex. Everything seemed to be working fine until I try to integrate spring security.

My error from the flex client is: faultCode="Server.ResourceUnavailable" faultDetail="Method 'METHOD_NAME_HERE' not found."

However:
- the method call works perfectly fine when no security is enabled
- I turned on DEBUG logging for spring.security, and spring security logs / correctly adds security to the spring bean + adds security to the methods, so for all intents and purposes spring security is correctly configured
- I thought it might be related to the dynamic destination sticky post. I blew away my flexbuilder project and compiled against services-cofig.xml but this did not fix.
- I painstakingly compared my config files w/ that of Chris Coenraet's and everything appears to be inline.
- Requests w/ spring security enabled go through the appropriate SpringSecurity filter

Can anyone share some insight / advise why adding spring security would cause the destination + method to no longer be seen?

Many thanks

That sounds a little strange...not sure exactly what could be happening there without seeing more details of your configuration.

Hey Jeremy,

Thanks for the reply. I've been digging at this thing for awhile now and I finally got some headway but I don't have complete answers yet. The reason for failure seems to stem from the fact My destination / spring bean implements InitializingBean.

I've also reproduced it in Chris Coenraets TestDrive(latest one); if you take his ProductDAO and implement InitializingBean you'll get the same / my error.

Hi Jeremy,

I believe it to be a bug in spring flex. I tried to reproduce it in the simplest way so I:
1. Took the spring-security 2.0.4 sample spring-security-samples-tutorial-2.0.4.war, got it to compile + run from my local tomcat etc.
2. added implements InitialingBean to BankServiceImpl
3. invoked BankService.post() which is protected by ROLE_TELLER

Result is everything worked as expected

http://jira.springframework.org/browse/FLEX-36

I don't believe this is a bug in Spring Security or Spring Flex but rather the standard behavior of Spring AOP's dynamic proxying which is used by Spring Security to apply security as an aspect. If you proxy a target class which implements no interfaces it will use CGLIB to create a dynamic subclass of the target. This means that all methods available on the target are available on the proxy. If you proxy a target class which implements at least one interface, Spring will create a JDK dynamic proxy with only the methods defined in the interfaces that the target class implements. Two ways to fix this:

1. Force the use of CGLIB proxying
2. Add an interface which contains the methods from the original DAO class and implement this interface and the InitializingBean interface

More info and a link to the docs here:

http://histos.net/blog/2006/12/spring_aop_cgli.html

Hi Cliff,

>>I've also reproduced it in Chris Coenraets TestDrive(latest one); if you take his ProductDAO and implement InitializingBean you'll get the same / my error.

I'm familiar w/ AOP + proxying. As I had mentioned earlier, if you take a look at Chris Coenraet's Spring Flex test drive, you'll see it follows #2 of your suggestions.

http://coenraets.org/blog/2009/03/springblazeds-integration-test-drive-m2-update-available/

I'm familiar w/ AOP + proxying. As I had mentioned earlier, if you take a look at Chris Coenraet's Spring Flex test drive, you'll see it follows #2 of your suggestions.


Unless you are looking at a different version of the samples from me, this does not appear to be true for the ProductDAO, which is the one you cite in the ticket as causing the error. Indeed, I can reproduce the situation by making ProductDAO implement InitializingBean, but the problem is that ProductDAO does not implement an interface for the actual business methods being invoked over RPC. If you extract an interface for the invoked methods, everything works as expected. This is all expected behavior with Spring's proxy-based AOP. I'm marking the issue as invalid.

Jeremy,

I was looking at my old example and I was wrong. I was working very late / early into the morning at the time migrating a large existing BlazeDS project to Spring BlazeDS and all I can say for myself is that I must have got lost or confused. Very sorry to have wasted your time

Cheers