Announcement Announcement Module
Collapse
No announcement yet.
Integration with Spring-Security - SSO Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Integration with Spring-Security - SSO

    Hi,
    I am using spring-flex 1.0.2 and spring-security 2.0.4 with spring 2.5.6 and I'm having some troubles to enable security for my Secure AMF channel.

    Here's what I have:
    flex/services-config.xml
    Code:
        ...
        <services>
            <default-channels>
                <channel ref="my-amf" />
            </default-channels>
        </services>
        ...
    As you may have noticed, I didn't add the security tag ...

    flex-servlet.xml
    Code:
        ...
        <flex:message-broker>
            <flex:message-service default-channels="my-amf" />
            
            <flex:secured>
                <!-- The path is taken by default -->
                <flex:secured-endpoint-path access="AnyRole"/>
            </flex:secured>
        </flex:message-broker>
    
        <flex:remoting-destination ref="reportsService" />
        ...
    1. My First Question is
    This AnyRole that I added there must be a GrantedAuthority right?

    security-config.xml
    Code:
        <security:global-method-security secured-annotations="enabled">
        </security:global-method-security>
    
        <http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" />
    
        <beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
            class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
    
        <beans:bean id="preAuthenticatedProcessingFilter"
            class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
            <custom-filter position="PRE_AUTH_FILTER" />
    
            <beans:property name="principalRequestHeader" value="SOME_HTTP_HEADER_ATT_NAME" />
            <beans:property name="authenticationManager" ref="authenticationManager" />
        </beans:bean>
    
        <authentication-manager alias="authenticationManager" />
    
        <beans:bean id="preauthAuthProvider"
            class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
            <security:custom-authentication-provider />
            <beans:property name="preAuthenticatedUserDetailsService">
                <beans:bean id="userDetailsServiceWrapper"
                    class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
                    <beans:property name="userDetailsService" ref="myUserDetailsService" />
                </beans:bean>
            </beans:property>
        </beans:bean>
    
    
        <beans:bean id="myUserDetailsService" class="com.SOMETHING.security.EbcmUserDetailsServiceImpl">
            <beans:property name="personDao" ref="personDao" />
        </beans:bean>
    
        <beans:bean id="loginCommand" class="org.springframework.flex.SpringSecurityLoginCommand" >
            <beans:constructor-arg ref="authenticationManager" />
        </beans:bean>
    I implemented my own UserDetailsService, which based on the value got from the HTTP header (left by a Single Sign On implementation authentication mechanism) checks if the user exists in our own database, and loads all the GrantedAuthorities.

    When I try to deploy my application under Weblogic 10.x (the app server we are using), I get this exception:
    Code:
    Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_messageBroker': Cannot resolve reference to bean '_messageBr
    okerLoginCommand' while setting bean property 'configProcessors' with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Erro
    r creating bean with name '_messageBrokerLoginCommand': Cannot resolve reference to bean '_authenticationManager' while setting constructor argument; nested exc
    eption is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named '_authenticationManager' is defined
    1. Why am I getting this exception when the LogginCommand (in security-config) says that I'm using authenticationManager and not _authenticationManager?
    2. Do I have to add the security tag in services-config.xml?
    3. Do I have to change something in my flex-servlet.xml?
    4. What am I missing?


    I've read the following links:

  • #2
    I found that setting the attribute authentication-manager for <flex:secured> would change Spring-BlazeDS default values.

    No flex-servlet.xml file is as follows:
    Code:
        ...
        <flex:message-broker>
            <flex:message-service default-channels="my-amf" />
    
            <flex:secured authentication-manager="authenticationManager" >
                <flex:secured-endpoint-path access="AnyRole" />
            </flex:secured>
        </flex:message-broker>
    
        <flex:remoting-destination ref="reportsService" />
        ...
    authenticationManager was defined in my security-config.xml

    Now I got to the point where I don't know where this AnyRole value should be defined. I understood it was a GrantedAuthority ...
    • What am I doing wrong?

    The exception I'm getting now is:
    Code:
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_messageBrokerDefaultHandlerMapping': Initialization of bean failed; nes
    ted exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_messageBroker': Cannot resolve reference to bean '_mes
    sageBrokerEndpointProcessor' while setting bean property 'configProcessors' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationExce
    ption: Error creating bean with name '_messageBrokerEndpointProcessor': Cannot resolve reference to bean 'org.springframework.flex.core.EndpointServiceMessagePo
    intcutAdvisor#1' while setting constructor argument with key [1]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating be
    an with name 'org.springframework.flex.core.EndpointServiceMessagePointcutAdvisor#1': Cannot resolve reference to bean 'org.springframework.flex.core.MessageInt
    erceptionAdvice#0' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with nam
    e 'org.springframework.flex.core.MessageInterceptionAdvice#0': Cannot resolve reference to bean 'org.springframework.flex.security.EndpointInterceptor#0' while
    setting bean property 'messageInterceptors' with key [1]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with
    name 'org.springframework.flex.security.EndpointInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupp
    orted configuration attributes: [AnyRole]

    Comment


    • #3
      First, I've got to say that it looks like you're over-complicating things a bit. I'd suggest starting with a very basic security configuration (something like the one in the Test Drive) and build incrementally from there. You've got some things that are completely unnecessary, such as the explicit bean definition for the SpringSecurityLoginCommand.

      That said, the reason for your last error is because the default RoleVoter requires that roles contain the prefix "ROLE_". So for example, "ROLE_ANY" would be a valid role definition in the default case.

      Comment


      • #4
        Hi Jeremy,
        I realised that was my problem and everything started working correctly.
        I should have updated the post two days ago ...

        I also removed the LoginCommand as I found out it was unnecessary.

        Thx!

        Nico

        Comment

        Working...
        X