Spring BlazeDS Security

[Java Developer]

I was wondering which is the best way to go about designing this --

I have a J2EE application which has security for different url links within the app. One of the links takes the user to a Flex application. How do I handle the user directly keying in the Flex application URL. I am using the Spring BlazeDS integration module, do I plug in Spring Security along with this.

I've got only layman'ish knowledge on Spring security, I see the documentation on how this is done for an xml based role but I have to hit the database to verify the user's authentication.

[Java Developer]

I noticed the following in the newer release
http://static.springsource.org/sprin....html#security

<flex:message-broker>
<flex:secured login-command="myLoginCommand"/>
</flex:message-broker>

What is the equivalent in org.springframework.flex-1.0.0.RC1

[Java Developer]

I have updated my release to spring-flex-1.5.0.M2 and have followed the instructions at Spring Flex JIRA but I still get the following error.

How do I fix this configuration.

Code:

# Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.c:   
# The matching wildcard is strict, but no declaration can be found for element 'flex:message-broker'.

Updated -- I used org.springframework.flex-1.0.3.RELEASE and it works but it doesn't seem to have login-command.

[jeremyg484]

You shouldn't need to use a custom LoginCommand to change the method of Authentication to use the database. Rather, you should just change the base Spring Security configuration to use a different authentication scheme. I would suggest taking a thorough look at the Spring Security docs, in particular you'll probably want to start here:

http://static.springsource.org/sprin...auth-providers

[Java Developer]

Thanks, I have just started working on this but I have quick question while I am at it.

I already have a POJO which has the user roles in the (J2EE and Flex) session scope created during SSO. I only need to authenticate if the user can the role required to access this Flex app.

If I use Spring security mentioned in 2.2.3 how does it differentiate the authentication for the Flex app since the rest of the web app does not require security.

[Java Developer]

I have got the basic Spring Security to work and it brings up the default Spring login page for

Code:

<http auto-config = "true"> 
	<intercept-url pattern="/AdminPage.jsp" access="NEED_TO_UPDATE_ROLE" /> 
</http>

I tried

Code:

<authentication-provider user-service-ref="userDetailsService" />  
	<beans:bean id="userDetailsService" class="com.util.MyUserDetailsService">     
</beans:bean>  

public class MyUserDetailsService implements UserDetailsService  
{  
	public UserDetails loadUserByUsername(String username)  
	{  
		System.out.println("Is this method being called");  
		return null;  
	}  
}

But it would not hit MyUserDetailsService, I continue to get the Spring login page.

[Java Developer]

Alright, finally I got it to hit MyUserDetailsService

I removed

Code:

<!--       
<beans:bean id="userDetailsService" class="com.util.MyUserDetailsService">     
</beans:bean>  
-->

and added the service annotation

Code:

@Service("userDetailsService")  
public class MyUserDetailsService implements UserDetailsService  
{  
	public UserDetails loadUserByUsername(String arg0)  
	throws UsernameNotFoundException, DataAccessException {  
		// TODO Auto-generated method stub  
		return null;  
	}  

}

Need some direction on how to proceed from here... I don't have the typical Spring User tables so I would like to use an existing schema to validate the user name already present in the session.