Thanks Jermey for the reply, maybe then if you get a chance you can then double check if things are ok with this set up...
First the architecture:
1) There is only swf file that needs to be accessed by anyone since it holds the login form within flex
2) It's ok if all remote calls through the broker have at least a ROLE_USER after log in as successful.
Would this approach then be ok? (If not, what's a better approach. I did read over the docs here http://static.springsource.org/sprin...0.x/reference/ but it seems a bit sparse on 'best approaches' so appreciate the suggestions):
Then I also set up:
<intercept-url pattern='/messagebroker/**' access='ROLE_USER' />
<intercept-url pattern='/**/*' filters='none' />
Then I have my one bean (my single remote object that all access goes through):
<flex:message-service default-channels="emp-maint-amf" />
Would my session by ok with the above? It seems simple, but not sure if I'm missing something.
<bean id="flexDelegate" class="com.clevertide.empmaint.delegate.FlexDelegate">
<security:protect method="save*" access="ROLE_ADMIN,ROLE_MANAGER" />
Thanks for your time.