Spring-Flex 1.0.2 + Security 3 Problem

[neoviktor]

Hi, today I tried to use the new release of spring flex with spring security 3.
Once configured I got a exception:

Error creating bean with name '_messageBrokerDefaultHandlerMapping':
Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationExce ption:
Error creating bean with name '_messageBroker':
Cannot resolve reference to bean '_messageBrokerEndpointProcessor' while setting bean property 'configProcessors' with key [3];
nested exception is org.springframework.beans.factory.BeanCreationExce ption:
Error creating bean with name '_messageBrokerEndpointProcessor':
Cannot resolve reference to bean 'org.springframework.flex.core.EndpointServiceMess agePointcutAdvisor#1' while setting constructor argument with key [1];
nested exception is org.springframework.beans.factory.BeanCreationExce ption:
Error creating bean with name 'org.springframework.flex.core.EndpointServiceMess agePointcutAdvisor#1':
Cannot resolve reference to bean 'org.springframework.flex.core.MessageInterception Advice#0' while setting constructor argument;
nested exception is org.springframework.beans.factory.BeanCreationExce ption:
Error creating bean with name 'org.springframework.flex.core.MessageInterception Advice#0':
Cannot resolve reference to bean 'org.springframework.flex.security3.EndpointInterc eptor#0' while setting bean property 'messageInterceptors' with key [1];
nested exception is org.springframework.beans.factory.BeanCreationExce ption:
Error creating bean with name 'org.springframework.flex.security3.EndpointInterc eptor#0':
Invocation of init method failed; nested exception is org.springframework.beans.factory.NoSuchBeanDefini tionException:
No unique bean of type [org.springframework.security.access.AccessDecision Manager] is defined: expected single bean but found 2:
org.springframework.security.access.vote.Affirmati veBased#0,org.springframework.security.access.vote .AffirmativeBased#1

My security config:

HTML Code:

<sec:http entry-point-ref="authenticationEntryPoint" >
	<sec:anonymous enabled="false"/>
</sec:http>
    
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>

<sec:authentication-manager>
	<sec:authentication-provider
		user-service-ref='AuthenticationJDBC'>
		<sec:password-encoder hash="sha" />
	</sec:authentication-provider>
</sec:authentication-manager>
	
<bean id="AuthenticationJDBC"	class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
	<property name="dataSource" ref="dataSource" />
</bean>
	
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>

My spring-flex config:

HTML Code:

<flex:message-broker>
	<flex:exception-translator ref="mySecurityExceptionTranslator" />
	<flex:secured>
		<flex:secured-channel channel="my-amf" access="ROLE_USER" />
		<flex:secured-channel channel="my-secure-amf" access="ROLE_USER" />
	</flex:secured>
</flex:message-broker>

Reading the logs I found that spring creates two AccessDecisionManager, AffirmativeBased#0 and AffirmativeBased#1, the last appears to be related with the JDBCDao authentication-provider.
To solve I have to set manually:
...
<flex:secured access-decision-manager="org.springframework.security.access.vote. AffirmativeBased#1">
...

Is the creation of two AccessDecisionManager the right behavior? Spring-flex can't discover the right AccessDecisionManager through authentication-manager? There is anotther way to workaround this problem?

Sorry for my bad english.
-- Victor

[jeremyg484]

Hmmm...unfortunately it seems that Spring Security is creating two distinct AccessDecisionManager instances...one for the http security and one for the global method security. (I am able to reproduce it in a test, but only by adding global-method-security to my test context that previously only had http).

I will check with the Spring Security devs to see if this is expected behavior.

Another workaround, in the meantime, would be to define your own AccessDecisionManager (just mimicking the default one) as described here:
http://static.springsource.org/sprin...access-manager

[jeremyg484]

Ok, I got the explanation from the Security devs. The provisioning of multiple AccessDecisionManagers in v3 is definitely intentional, as it's possible for the "http" version and the "global-method-security" version to need slightly different configuration. That said, they explained that it would also be perfectly fine for Flex to use its own distinct AccessDecisionManager for the needs of the <flex:secured-channel> tag. So what I think we'll do in the future is just create on internally if a reference is not specified in <flex:secured>. In the meantime, I think the best option is to use a config such as the following to create an AccessDecisionManager specifically for the needs of Flex:

Code:

<flex:message-broker>
    <flex:secured access-decision-manager="flexAccessDecisionManager">
        <flex:secured-channel access="ROLE_USER" channel="my-amf"/>
    </flex:secured>
</flex:message-broker>
	
<bean id="flexAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <bean class="org.springframework.security.access.vote.RoleVoter"/>
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        </list>
    </property>
</bean>

I have opened a Jira to correct the problem (https://jira.springsource.org/browse/FLEX-109), but this seems like the best alternative until it gets resolved.

[neoviktor]

Thanks for the reply Jeremy.
Despite my solution works, yours seems to be better.

[jeremyg484]

This has now been fixed in the latest nightly build. If you would like to test it, you can either grab it here:

http://s3.amazonaws.com/dist.springf....0.3.CI-29.zip

or if you are using Maven, you can follow the updated instructions for grabbing nightly snapshots here:

http://forum.springsource.org/showthread.php?t=77454

[neoviktor]

That was fast.
Thanks, I will test ASAP