Announcement Announcement Module
Collapse
No announcement yet.
Security/Session Q when adding SpringFlex to existing webapp Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security/Session Q when adding SpringFlex to existing webapp

    We have an existing JSF/Facelets/Webflow app using Spring Security.

    It we add a Flex object onto the page using a4x it working nicely as this comes in as a POST and will pass-thru the security filters and have access to the UserDetails and current session objects.

    If we want to use AMF and Blaze to be able to pass large amount of data efficently I'm assuming this communication is outside the existing session/security context and not able to access those objects. It looks like I'd have to move the state management from the session over to the flex side - is that a correct assumption. If not please explain how you can connect back to the webapp context.

    Also if using Blaze and making multiple requests will the security authentication happen once on the first or on each.

    Thanks
    Mark

  • #2
    Originally posted by mdiskin View Post
    If we want to use AMF and Blaze to be able to pass large amount of data efficently I'm assuming this communication is outside the existing session/security context and not able to access those objects.
    No, RemoteObject and its companions on the client basically tunnel through an HTTP POST request for the standard BlazeDS channel, so in our case everything still goes through the security filters, DispatcherServlet, etc. (Note that for a nice clean setup, I prefer setting up two separate DispatcherServlets...one for the standard MVC/Web Flow requests, and another for the BlazeDS requests...this is not strictly required though.)

    Originally posted by mdiskin View Post
    It looks like I'd have to move the state management from the session over to the flex side - is that a correct assumption. If not please explain how you can connect back to the webapp context.
    It depends on what in particular you're trying to do as to whether it's more appropriate to manage state on the client, but in general you still have access to the session and all other normal facilities on the server side. Again, since requests are going through the DispatcherServlet, you can just use standard Spring-isms like RequestContextHolder.getRequestAttributes().

    Originally posted by mdiskin View Post
    Also if using Blaze and making multiple requests will the security authentication happen once on the first or on each.
    Authentication happens when you explicitly invoke it via the ChannelSet.login() method from the Flex client. Of course, in a hybrid scenario such as you've described, it is possible to have already authenticated outside the Flex app via some other Spring Security mechanism (i.e., a simple HTML login form, etc.). The security integration in Spring BlazeDS just accesses the Authentication object through the standard APIs, so whether authenticated through the ChannelSet API or via some external means, it should work essentially the same.

    Comment

    Working...
    X