Announcement Announcement Module
Collapse
No announcement yet.
Good example to look at that demonstrates security with flex-login form/logout/ - etc Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Good example to look at that demonstrates security with flex-login form/logout/ - etc

    I'm new to Flex and looking to create a simple app that:

    1) Has a login form (part of the Flex app - not the browser basic form)
    2) Provides a way to logout with the flex app.
    3) Gets a handle to all roles returned for use within Flex
    4) An example of getting a handle to the roles on the Java side from Spring

    Can someone post a good example of the above that uses the latest techniques with Spring-BlazeDS?, but doesn't incorporate too many other things. For example this tutorial is very nice http://www.gridshore.nl/2009/05/24/i...ation-project/ but it's using Mate - which at this point, I don't want to get involved with yet, and because of the Mate integration it requires what seems like some overly-complicated implementations (eg look at the whole ChannelSetInvoker thing.)

    A lot of the examples only show a simple basic-authentication login, which although nice, leaves me a bit puzzled on how to do things correctly with a flex login form.

    At this point, I also don't care much about locking down security on my remote blazeDS method calls, but I don't mind if the example application shows this as well.

    I finding this all a bit frustrating, because with a simle Java web-app, I can handle all of this so easily with one simple Filter implementation that stuffs the user roles in the session. I'm willing to accept there are more complications when dealing with a client app, but I still feel overwhelmed at the moment?

    When I start googling for how to handle Spring-BlazeDS security, the approaches seem to vary quite a bit.

    Is there a good example to follow in the spring-flex-testdrive sample? I do see a login for min secured.xml and I'm going to go through the app more thoroughly, but if there is another example app I should look at also, please let me know.

    Actually in the testdrive app (home page) when I click on the link
    for the security link, it ends up stripping the context:

    http://localhost:8080/secured/secured.html

    I can get it to come up with

    http://localhost:8080/testdrive/secured/secured.html

    But using 'john' 'john' still doesn't allow me to get data (returns 'send failed')

  • #2
    Besides not being able to get the testdrive 'secured' portion of the application working, I see no examples in the code showing access to the roles returned etc (for use with the UI.) I'd think these are critical aspects that the average user has to deal with so I think adding some examples of this within the samples would be great.

    Comment


    • #3
      I got the testdrive security to work by adding in the testdrive context in the channel url:

      http://localhost:8080/testdrive/messagebroker/amf

      (before it just had http://localhost:8080/messagebroker/amf)

      Comment


      • #4
        The "secured" sample has been further enhanced for 1.0.1 (see FLEX-72) to show more complete use of a completely Flex-based login and conditional display logic based on user roles. Hopefully this will serve to illustrate your points 1-3. For getting access to the roles on the server side, you would just do that via typical Spring Security API calls to SecurityContext and the like.

        As far as your deployment problems, the sample is currently configured to be run as the root web app. This was a leftover artifact of Adobe's original distribution which just bundled the app with Tomcat. As this is not a very typical deployment scenario for a Java web app, and in fact causes problems on some servers that don't allow the root web app to be overwritten, we have updated the testdrive for 1.0.1 to deploy under a more typical "testdrive" context (see FLEX-62).

        Comment


        • #5
          The "secured" sample has been further enhanced for 1.0.1 (see FLEX-72) to show more complete use of a completely Flex-based login and conditional display logic based on user roles.
          That sounds awesome! I take it I just pull the latest from svn snapshots? (Sorry for being a newb, but I'm not sure what 'see FLEX-72' refers to.) I really would like to see the latest 1.0.1 stuff.

          Comment


          • #6
            Yes, you could pull a nightly build from here: http://static.springframework.org/do...p?project=FLEX, but I just committed this so it won't be there until tomorrow.

            FLEX-72 is a Jira issue: (http://jira.springsource.org/browse/FLEX-72)

            Comment


            • #7
              Can someone help me out with the maven repo set up to use this latest 1.0.1 snapshot in my build? I'd like to leverage AuthenticationResultTranslator which apparently is just in this 1.0.1 branch?

              What snapshot url and pom definition should I use?
              I thought I'm supposed to use this one for snapshots?

              <repository>
              <id>spring-snapshot</id>
              <name>Spring Portfolio Snapshot Repository</name>
              <url>http://s3.amazonaws.com/maven.springframework.org/snapshot</url>
              </repository>

              Comment


              • #8
                Good question, and given that it's bound to come up repeatedly, I've created a sticky thread to document the process:
                http://forum.springsource.org/showthread.php?t=77454

                That said, be wary of the occasional volatility of the nightly builds. For example, we thought better of AuthenticationResultTranslator and changed to the more Spring-ish pattern of a AuthenticationResultUtils helper class.

                If you don't mind waiting just a bit longer, we are preparing the final 1.0.1 for release right now.

                Comment

                Working...
                X