Integration with Spring-Security - SSO

[nicokiki]

Hi,
I am using spring-flex 1.0.2 and spring-security 2.0.4 with spring 2.5.6 and I'm having some troubles to enable security for my Secure AMF channel.

Here's what I have:
flex/services-config.xml

Code:

    ...
    <services>
        <default-channels>
            <channel ref="my-amf" />
        </default-channels>
    </services>
    ...

As you may have noticed, I didn't add the security tag ...

flex-servlet.xml

Code:

    ...
    <flex:message-broker>
        <flex:message-service default-channels="my-amf" />
        
        <flex:secured>
            <!-- The path is taken by default -->
            <flex:secured-endpoint-path access="AnyRole"/>
        </flex:secured>
    </flex:message-broker>

    <flex:remoting-destination ref="reportsService" />
    ...

1. My First Question is

This AnyRole that I added there must be a GrantedAuthority right?

security-config.xml

Code:

    <security:global-method-security secured-annotations="enabled">
    </security:global-method-security>

    <http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" />

    <beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
        class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />

    <beans:bean id="preAuthenticatedProcessingFilter"
        class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
        <custom-filter position="PRE_AUTH_FILTER" />

        <beans:property name="principalRequestHeader" value="SOME_HTTP_HEADER_ATT_NAME" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <authentication-manager alias="authenticationManager" />

    <beans:bean id="preauthAuthProvider"
        class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
        <security:custom-authentication-provider />
        <beans:property name="preAuthenticatedUserDetailsService">
            <beans:bean id="userDetailsServiceWrapper"
                class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
                <beans:property name="userDetailsService" ref="myUserDetailsService" />
            </beans:bean>
        </beans:property>
    </beans:bean>


    <beans:bean id="myUserDetailsService" class="com.SOMETHING.security.EbcmUserDetailsServiceImpl">
        <beans:property name="personDao" ref="personDao" />
    </beans:bean>

    <beans:bean id="loginCommand" class="org.springframework.flex.SpringSecurityLoginCommand" >
        <beans:constructor-arg ref="authenticationManager" />
    </beans:bean>

I implemented my own UserDetailsService, which based on the value got from the HTTP header (left by a Single Sign On implementation authentication mechanism) checks if the user exists in our own database, and loads all the GrantedAuthorities.

When I try to deploy my application under Weblogic 10.x (the app server we are using), I get this exception:

Code:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_messageBroker': Cannot resolve reference to bean '_messageBr
okerLoginCommand' while setting bean property 'configProcessors' with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Erro
r creating bean with name '_messageBrokerLoginCommand': Cannot resolve reference to bean '_authenticationManager' while setting constructor argument; nested exc
eption is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named '_authenticationManager' is defined

1. Why am I getting this exception when the LogginCommand (in security-config) says that I'm using authenticationManager and not _authenticationManager?
2. Do I have to add the security tag in services-config.xml?
3. Do I have to change something in my flex-servlet.xml?
4. What am I missing?

I've read the following links:

• Spring-BlazeDS
• Details abt securing endpoint paths directly in this forum
• RequestHeaderPreAuthenticatedProcessingFilter discussion in this forum
• Pre-Authentication Scenarios-Spring Security Doc

[nicokiki]

I found that setting the attribute authentication-manager for <flex:secured> would change Spring-BlazeDS default values.

No flex-servlet.xml file is as follows:

Code:

    ...
    <flex:message-broker>
        <flex:message-service default-channels="my-amf" />

        <flex:secured authentication-manager="authenticationManager" >
            <flex:secured-endpoint-path access="AnyRole" />
        </flex:secured>
    </flex:message-broker>

    <flex:remoting-destination ref="reportsService" />
    ...

authenticationManager was defined in my security-config.xml

Now I got to the point where I don't know where this AnyRole value should be defined. I understood it was a GrantedAuthority ...

• What am I doing wrong?

The exception I'm getting now is:

Code:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_messageBrokerDefaultHandlerMapping': Initialization of bean failed; nes
ted exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_messageBroker': Cannot resolve reference to bean '_mes
sageBrokerEndpointProcessor' while setting bean property 'configProcessors' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationExce
ption: Error creating bean with name '_messageBrokerEndpointProcessor': Cannot resolve reference to bean 'org.springframework.flex.core.EndpointServiceMessagePo
intcutAdvisor#1' while setting constructor argument with key [1]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating be
an with name 'org.springframework.flex.core.EndpointServiceMessagePointcutAdvisor#1': Cannot resolve reference to bean 'org.springframework.flex.core.MessageInt
erceptionAdvice#0' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with nam
e 'org.springframework.flex.core.MessageInterceptionAdvice#0': Cannot resolve reference to bean 'org.springframework.flex.security.EndpointInterceptor#0' while
setting bean property 'messageInterceptors' with key [1]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with
name 'org.springframework.flex.security.EndpointInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupp
orted configuration attributes: [AnyRole]

[jeremyg484]

First, I've got to say that it looks like you're over-complicating things a bit. I'd suggest starting with a very basic security configuration (something like the one in the Test Drive) and build incrementally from there. You've got some things that are completely unnecessary, such as the explicit bean definition for the SpringSecurityLoginCommand.

That said, the reason for your last error is because the default RoleVoter requires that roles contain the prefix "ROLE_". So for example, "ROLE_ANY" would be a valid role definition in the default case.

[nicokiki]

Hi Jeremy,
I realised that was my problem and everything started working correctly.
I should have updated the post two days ago ...

I also removed the LoginCommand as I found out it was unnecessary.

Thx!

Nico