Announcement Announcement Module
Collapse
No announcement yet.
Custom Login Command Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Custom Login Command

    Hi,

    I have a a requirement where I need to use a custom login command which will basically be an extension of teh existing LoginCommand.

    I have done this but am unsure on what the best way to configure it for use.

    I created a bean like so:

    <bean id="customSpringSecurityLoginFilter"class="package .CustomSpringSecurityLoginFilter">
    <constructor-arg ref="authenticationManager"/>
    </bean>

    and have been using the message-broker namespace which I know initializes the default LoginCommand, can this be overriden in the namespace declaration?

    I thought I may be able to do this:

    flex:message-broker>
    <flex:config-processor ref="customSpringSecurityLoginFilter"/>
    <flex:remoting-service default-adapter-id="java-object" default-channels="my-amf"/>
    <flex:secured per-client-authentication="true">
    <flex:secured-endpoint-path pattern="${blaze.secured.endpoint.pattern}" access="${blaze.secured.endpoint.role}" />
    </flex:secured>
    </flex:message-broker>

    But it sill uses the default one.

    Any pointers on how to do this would be appreciated !

    Cheers,

    Jonathan.

  • #2
    (Quick note...in the future, please use the code tags when providing examples...much easier to read.)

    Right, we don't provide a way to do this at the moment. It's a reasonable thing to allow, so I've created a Jira for it:

    https://jira.springsource.org/browse/FLEX-79

    In the meantime, this is quite the hack, but you could probably get around the problem by putting the configuration logic of your LoginCommand into the processAfterStartup method instead of processBeforeStartup. Basically, since the LoginManager can only ever have one LoginCommand, the last one set will win.

    Out of curiosity, what exactly are you trying to do differently in your custom LoginCommand that you need to override the provided one in the first place?

    Comment


    • #3
      Hi Jeremy,

      We arent trying to do anything fancy with our CustomLoginCommand, basically we have a custom authentication provider which authenticates against different mechanisms dependent upon a selected domain.

      We want channel authentication and as the flex channel.login command only takes a username and password we are appending it to the username ie. [email protected] We wanted the custom LoginCommand to split the two adding the domain to a details object to be added to the UsernamePasswordToken.

      To get round this we have moved the logic to the CustomProvider, but really at this level we would like to have had the command do the work.

      We know we could just chain the providers to call each in turn, but we arent in control of the realms user administration to guarantee uniqueness.

      Thanks for your reply,


      Jonathan.

      Comment


      • #4
        Hi,

        I have a issue for custom loginCommand with Spring BlazeDS & Security.

        The application has two mechanisms (for example, 2 databases) for authentication. Flex client uses only one channel and loginCommand should decide based on parameters, which authentication mechanism it uses.

        How can I handle this? Should I customize SpringSecurityLoginCommand or basic LoginCommand? I`m stucked with this.

        Comment


        • #5
          Originally posted by Durden View Post
          Hi,

          I have a issue for custom loginCommand with Spring BlazeDS & Security.

          The application has two mechanisms (for example, 2 databases) for authentication. Flex client uses only one channel and loginCommand should decide based on parameters, which authentication mechanism it uses.

          How can I handle this? Should I customize SpringSecurityLoginCommand or basic LoginCommand? I`m stucked with this.
          Hi Durden,

          I suggest you have two ways of accomplishing this:

          If the usernames or id's are unique across both mechanisms then you can simply chain your spring security authentication providers. This means if the user credentials are not verified in the first mechanism it will check the second before failing. This obviously has issues in terms of excess calls etc.

          Instead I created a custom AuthenticationProvider which I plugged into the spring security configuration. As the channel.login command only takes two parameters username and password, I had to put additional parameters on the end of the username (in my case [email protected]). The job of the custom provider is to parse the properties from the username and select which wrapped provider to use. I did this by injecting a map of providers into the custom provider mapped by a domain key Ie Domain1=DB1 ; Domain2=DB2.

          Hope this helps !

          Jonathan.

          Comment


          • #6
            Originally posted by Jonathan.Martin View Post
            Hi Durden,

            I suggest you have two ways of accomplishing this:

            If the usernames or id's are unique across both mechanisms then you can simply chain your spring security authentication providers. This means if the user credentials are not verified in the first mechanism it will check the second before failing. This obviously has issues in terms of excess calls etc.

            Instead I created a custom AuthenticationProvider which I plugged into the spring security configuration. As the channel.login command only takes two parameters username and password, I had to put additional parameters on the end of the username (in my case [email protected]). The job of the custom provider is to parse the properties from the username and select which wrapped provider to use. I did this by injecting a map of providers into the custom provider mapped by a domain key Ie Domain1=DB1 ; Domain2=DB2.

            Hope this helps !

            Jonathan.
            Thanks, this was excellent answer.

            We have also this kind of third situation: we must authenticate user against external system in Flex client with some POST-functions. Are there any ways to pass the Spring security with this case? I mean that, user should be authenticated before Spring security and Spring security just logs user in normally as an authenticated user. Loginsession should be created normally at this case, kind of pre-authencation situation?

            Comment


            • #7
              Hi Durden,

              Im not sure about this to be honest. I think what you want is a single sign-on mechanism.

              The only thing I have done which is not quite similar, using multi channel support, allowing three different login mechanism, form based, basic and channel. Though this was individual for different clients and not cross-authentication.

              The thing to check first is how the channel.login command verifies whether the channel has been authenticated (on the server). If it simply checks to see if there is a security principal associated in the security context you may not have to do anything at all, but I havent tried it.

              If you do try it out, id be interested to find out the results :-) I might give it a go myself if I get time tomorrow. But as usual I'll probably be snowed under.

              Jonathan.

              Comment


              • #8
                Originally posted by Jonathan.Martin View Post
                Hi Durden,

                Im not sure about this to be honest. I think what you want is a single sign-on mechanism.

                The only thing I have done which is not quite similar, using multi channel support, allowing three different login mechanism, form based, basic and channel. Though this was individual for different clients and not cross-authentication.

                The thing to check first is how the channel.login command verifies whether the channel has been authenticated (on the server). If it simply checks to see if there is a security principal associated in the security context you may not have to do anything at all, but I havent tried it.

                If you do try it out, id be interested to find out the results :-) I might give it a go myself if I get time tomorrow. But as usual I'll probably be snowed under.

                Jonathan.
                Finally managed to finish this.

                This "preauthentication-situcation" was handled with custom authentication provider and some flags inside user name. I had to also customize UserDetails & UserDetailsService. Your answer solved my problem, thanks very much!.

                Comment

                Working...
                X