Announcement Announcement Module
No announcement yet.
Flex authentication, where is the UserDetails? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Flex authentication, where is the UserDetails?

    When authenticating, Spring BlazeDS Integration uses my UserDetailsService (which returns a UserDetails) to get user information and compare username and password, I though that I would receive this UserDetails object on the Flex side as suggested in Spring-Security to have further user information such as his real name, company name and so on.

    On the Flex side, I only receive a GrantedAuthority list and the username.

    Is there something I can do to obtain the UserDetails on the Flex side (other than fetch it myself)?

  • #2
    You could provide a custom MessageInterceptor that augments the information captured by the provided LoginMessageInterceptor ( which is one of the things that gets installed when you use the "secured" tag. Something like this:

    public class CustomLoginInterceptor implements MessageInterceptor {
        public Message postProcess(MessageProcessingContext context, Message inputMessage, Message outputMessage) {
            if (inputMessage instanceof CommandMessage && ((CommandMessage) inputMessage).getOperation() == CommandMessage.LOGIN_OPERATION) {
                if (containsAuthorities(outputMessage.getBody())) {
                    MyCustomUserDetails details = (MyCustomUserDetails) SecurityContextHolder.getContext().getAuthentication().getDetails();
                    ((Map)outputMessage.getBody()).put("address", details.getAddress());
            return outputMessage;
        private boolean containsAuthorities(Object body) {
            if (body == null || !(body instanceof Map)) {
                return false;
            Map authInfo = (Map) body;
            return authInfo.containsKey("authorities");
        public Message preProcess(MessageProcessingContext context, Message inputMessage) {
            return inputMessage;
    You then wire that up as a bean and add it into the chain using the "message-interceptor" tag.

    This is not exactly ideal, because it is a bit overly dependent on the LoginMessageInterceptor implementation, but it is the best solution for now.

    It would probably be better in the future if we provided an easier extension hook for customizing how the Authentication gets stored in the message. That or we just automatically include the details object from the Authentication, but it seems more efficient to let the user take control of that process since UserDetails implementations so often provide application-specific information.


    • #3
      The above solution will work, except in the case where perClientAuthentication has been set to true on the MessageBroker. If that is the case, then the SecurityContextHolder will be cleared out before any custom message interceptor is invoked, and the UserDetails will not be available. Is there a way to make this work in the case that perClientAuthentication is set to true?