Announcement Announcement Module
Collapse
No announcement yet.
Problem configuring spring security 3.1 with hybrid Spring MVC + Flex application Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem configuring spring security 3.1 with hybrid Spring MVC + Flex application

    I'm working on a web application that has a (end user) user interface built in Flex and a management user interface built using Spring MVC. I'm trying to secure both interfaces and can get each one working separately, but not together.

    I'm using a snapshot build of spring-flex-core 1.5.0 with Spring Security 3.1RC1 and Spring 3.1M1

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:security="http://www.springframework.org/schema/security"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
    		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    	
    	<!-- All Spring Security related configuration goes here -->
    
    	<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
        
        <security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
            <security:anonymous enabled="false"/>
        </security:http>
        
        <bean id="entryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>
         
        <security:http pattern="/favicon.ico" security="none"/>
        <security:http pattern="/login*" security="none"/>
        <security:http pattern="/logoutSuccess*" security="none"/>
        <security:http pattern="/apollo/css/**" security="none"/>
        <security:http pattern="/apollo/js/**" security="none"/>
        <security:http pattern="/apollo/img/**" security="none"/>
        <security:http pattern="/common/css/**" security="none"/>
        <security:http pattern="/common/js/**" security="none"/>
        <security:http pattern="/common/img/**" security="none"/>
        <security:http pattern="/MoneyManager.swf" security="none"/>
        <security:http pattern="/assets/**" security="none"/>
        <security:http pattern="/index.jsp" security="none"/>
        
        <security:http servlet-api-provision="true">
    
            <security:intercept-url pattern="/cms/*" access="ROLE_ADMIN"/>
            <security:intercept-url pattern="/cms/users/*" access="ROLE_ADMIN,ROLE_USER_MANAGER"/>
            <security:intercept-url pattern="/cms/content/*" access="ROLE_ADMIN,ROLE_CONTENT_MANAGER"/>        
            <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
    
            <security:form-login login-page="/login.html" default-target-url="/home.html" 
            					always-use-default-target="false" authentication-failure-url="/login.html"/>
            					
            <security:remember-me/>
            <security:logout logout-url="/logout" logout-success-url="/default.html" />
    		
        </security:http>
        
        <bean id="successfulLogInListener" class="uk.co.ecube.web.security.SuccessfulLogInListener"/>
        <bean id="failedLogInListener" class="uk.co.ecube.web.security.FailedLogInListener"/>
        
    
    	<security:authentication-manager>
        	<security:authentication-provider user-service-ref='userService'/>
      	</security:authentication-manager>
    </beans>

    If I include only the first http tag without the pattern attribute then the flex UI appears to authenticate successfully using Spring security. However if I include all the [CODE] http tags then I get one of two errors depending on whether I use

    Code:
        <security:http  entry-point-ref="entryPoint">
            <security:anonymous enabled="false"/>
        </security:http>
    which gives
    Code:
    SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
    org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The filter chain map already contains this request matcher [Root bean: class [org.springframework.security.web.util.AnyRequestMatcher]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null]. If you are using multiple <http> namespace elements, you must use a 'pattern' attribute to define the request patterns to which they apply.
    or

    Code:
        <security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
            <security:anonymous enabled="false"/>
        </security:http>
    which results in

    Code:
    SEVERE: Servlet /apollo threw load() exception
    org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [org.springframework.security.web.authentication.session.SessionAuthenticationStrategy] is defined: expected single matching bean but found 2: [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0, org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#1]
    	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:796)
    I'm obviously missing something but while the Spring Flex documentation describes how to configure a hybrid MVC+Flex application at the servlet level it appears to only consider security from the perspective of a flex-only application.

    Can anyone suggest what I'm doing wrong?

    thanks

    Dave
Working...
X