How to setup Spring Security 3 and Flex Integration 1.5 with multiple entry points ?

[Cybrid]

Hello all,

First of all thanks to anyone answering. Right now I'm working on an application with a Flex based user frontend and a Web based Admin frontend, both have their own log in/authentication forms. Basically what I'm trying to achieve is to have them both use the same authentication mechanism. The problem I'm facing is that I get an exception when I configure both to run at the same time, what I understand from the exception is that the <security:form-login> element automatically generates its own SessionFixationProtectionStrategy so when I add the entry point for Flex I get a colision. I've been trying to find information as to how to get this 2 entry points working together but so far the search has been fruitless, It'd be great if anyone could shed some light on this issue.

Edit: I forgot to add that the admin web interface and the user flash interface are configured usin 2 different servlets. ie: my web.xml has 2 servlet elements.

Thanks in advance.

[Cybrid]

Here my security config:

Code:

<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
    
    
    <security:http pattern="/messagebroker/**" entry-point-ref="flexEntryPoint">
    	<security:anonymous enabled="false"/>
    	<security:session-management>
            <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
        </security:session-management>
    </security:http>
    
    <bean id="flexEntryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>
   
    <!--  -->
    <security:http pattern="/favicon.ico" security="none"/>
    <security:http pattern="/login*" security="none"/>
    <security:http pattern="/logoutSuccess*" security="none"/>
    <security:http pattern="/apollo/css/**" security="none"/>
    <security:http pattern="/apollo/js/**" security="none"/>
    <security:http pattern="/apollo/img/**" security="none"/>
    <security:http pattern="/common/css/**" security="none"/>
    <security:http pattern="/common/js/**" security="none"/>
    <security:http pattern="/common/img/**" security="none"/>
    <security:http pattern="/MoneyManager.swf" security="none"/>
    <security:http pattern="/assets/**" security="none"/>
    <security:http pattern="/index.jsp" security="none"/>
    
    <security:http servlet-api-provision="true" >

        <security:intercept-url pattern="/cms/*" access="ROLE_ADMIN"/>
        <security:intercept-url pattern="/cms/users/*" access="ROLE_ADMIN,ROLE_USER_MANAGER"/>
        <security:intercept-url pattern="/cms/content/*" access="ROLE_ADMIN,ROLE_CONTENT_MANAGER"/>        
        <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />

        <security:form-login  login-page="/login.html" default-target-url="/home.html" 
        					always-use-default-target="false" authentication-failure-url="/login.html"/>
        					
        <security:remember-me/>
        <security:logout logout-success-url="/login.html" />
		
    </security:http>
   
    
    <!-- LISTENERS TO UPDATE USERS ON SUCCESSFUL AND FAILED LOGIN ATTEMPTS -->
    <bean id="successfulLogInListener" class="uk.co.ecube.web.security.SuccessfulLogInListener"/>
    <bean id="failedLogInListener" class="uk.co.ecube.web.security.FailedLogInListener"/>
  	
  	<security:authentication-manager>
    	<security:authentication-provider user-service-ref='userService'>
    		<security:password-encoder ref="passwordEncoder">
    			<security:salt-source ref="saltSource" />
    		</security:password-encoder>
    	</security:authentication-provider>
  	</security:authentication-manager>

    <bean id="saltSource" class="uk.co.ecube.core.security.CustomSaltSource" />
    <bean id="passwordEncoder" class="uk.co.ecube.core.security.CustomPasswordEncoder" />
</beans>

[Cybrid]

Here the exception:

Code:

2011-09-20 09:45:03,859 INFO [org.springframework.beans.factory.support.DefaultListableBeanFactory] - <Destroying singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@115d277: defining beans [_messageBrokerHandlerAdapter,_messageBrokerDefaultHandlerMapping,_jsonConfigMapEditorConfigurer,_messageBrokerMessagingProcessor,_messageBrokerRemotingProcessor,_flexRemotingAnnotationPostProcessor,_hibernateSerializationConfigPostProcessor,org.springframework.flex.core.ExceptionTranslationAdvice#0,org.springframework.flex.core.EndpointServiceMessagePointcutAdvisor#0,_loginCommandPostProcessor,_messageBrokerLoginCommand,org.springframework.flex.core.LoginCommandConfigProcessor#0,org.springframework.flex.security3.SecurityExceptionTranslator#0,org.springframework.flex.security3.PerClientAuthenticationInterceptor#0,org.springframework.flex.security3.LoginMessageInterceptor#0,org.springframework.flex.core.MessageInterceptionAdvice#0,org.springframework.flex.core.EndpointServiceMessagePointcutAdvisor#1,_messageBrokerEndpointProcessor,_messageBroker,org.springframework.flex.remoting.RemotingDestinationExporter#0,org.springframework.flex.remoting.RemotingDestinationExporter#1,org.springframework.flex.remoting.RemotingDestinationExporter#2,org.springframework.flex.remoting.RemotingDestinationExporter#3,org.springframework.flex.remoting.RemotingDestinationExporter#4,org.springframework.flex.core.io.JpaHibernateConfigProcessor#0]; parent: org.springframework.beans.factory.support.DefaultListableBeanFactory@1c5ddd3>
2011-09-20 09:45:03,859 ERROR [org.springframework.web.servlet.DispatcherServlet] - <Context initialization failed>
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name '_loginCommandPostProcessor': Unsatisfied dependency expressed through bean property 'sessionAuthenticationStrategy': : No unique bean of type [org.springframework.security.web.authentication.session.SessionAuthenticationStrategy] is defined: expected single matching bean but found 2: [org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0, org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0]; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [org.springframework.security.web.authentication.session.SessionAuthenticationStrategy] is defined: expected single matching bean but found 2: [org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0, org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireByType(AbstractAutowireCapableBeanFactory.java:1167)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1059)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:295)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:292)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:198)
	at org.springframework.context.support.AbstractApplicationContext.registerBeanPostProcessors(AbstractApplicationContext.java:727)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:440)
	at org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:442)
	at org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:458)
	at org.springframework.web.servlet.FrameworkServlet.initWebApplicationContext(FrameworkServlet.java:339)
	at org.springframework.web.servlet.FrameworkServlet.initServletBean(FrameworkServlet.java:306)
	at org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:133)
	at javax.servlet.GenericServlet.init(GenericServlet.java:212)
	at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
	at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
	at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4421)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4734)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
	at org.apache.catalina.core.StandardService.start(StandardService.java:525)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [org.springframework.security.web.authentication.session.SessionAuthenticationStrategy] is defined: expected single matching bean but found 2: [org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0, org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:796)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:703)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireByType(AbstractAutowireCapableBeanFactory.java:1152)
	... 32 more
e.ContainerBase.start(ContainerBase.java:1057)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
	at org.apache.catalina.core.StandardService.start(StandardService.java:525)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

[Cybrid]

No takers on this one?

[kannanMugundan]

Did you solve this issue

[oh]

You should declare explicitly the session authentication strategy. For example :

Code:

    <http entry-point-ref="entryPoint" pattern="/messagebroker/**">
        <session-management session-authentication-strategy-ref="sas"/>
        <anonymous enabled="false"/>
    </http>
    
    <beans:bean id="entryPoint" 
        class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>
    
    <http entry-point-ref="restAuthenticationEntryPoint" pattern="/rest/**">
        <session-management session-authentication-strategy-ref="sas"/>
        <anonymous enabled="false"/>
        <http-basic/>
    </http>

    <beans:bean id="sas"
      class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"/>