Announcement Announcement Module
Collapse
No announcement yet.
Access 'UserDetails' on flex Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    in my config files , though I'm not sure which version of the jars it relates to
    Use spring security 3.0.5, which is the latest production release http://s3.amazonaws.com/dist.springf....5.RELEASE.zip

    Is there a way I can set some properties on a spring managed UserDetails object from JSP that I can then reference once my swf is loaded ?
    Only approach i can see for now is to load the swf once you log-in from jsp, then do a remote from flex to java and get the authentication details from either AuthenticationResultUtils or Spring security context.

    By the way, i think it's worth to look if you can use flashvars to pass the authentication details to swf from jsp (after you log-in) when loading the swf

    Comment


    • #17
      Ok, thanks Amila. Is that release only documented in the enclosed HTML rather than hosted here: http://static.springsource.org/sprin...ity/site/docs/ ?

      I will be sure to use that version. Could you give me one more bit of suggestion, I'm thinking I should either implement a UserDetail service as this person is discussing on the forum : New to Spring - Custom Authentication with UserDetails

      My thought is since my infrastructure already gets a unique "user ID" I could then set a property on spring managed bean, load the swf normally and then simply get the user's credentials and manipulate the flex view per the principal's role ? Does that sound right?

      Comment


      • #18
        spring-security-3.0.5.RELEASE with BlazeDS and Flex?

        Just to be sure, are the spring-security-3.0.5.RELEASE jars compatible with the Flex / BlazeDS components namely spring-flex-core-1.5.0.M2.jar ?

        Comment


        • #19
          Is that release only documented in the enclosed HTML rather than hosted here: http://static.springsource.org/sprin...ity/site/docs/ ?
          Reference doc http://static.springsource.org/sprin...gsecurity.html

          I'm thinking I should either implement a UserDetail service
          Why do you want to implement a custom user detail service? How do you authenticate users? is it against a database? If so can't you use the DaoAuthenticationProvider?

          My thought is since my infrastructure already gets a unique "user ID" I could then set a property on spring managed bean, load the swf normally and then simply get the user's credentials and manipulate the flex view per the principal's role
          You won't be needing an unique id to retrieve the authentication details, since the spring security context is available, get the authentication details from middle-tier

          Code:
          SecurityContextHolder.getContext().getAuthentication()
          Or

          Code:
          AuthenticationResultUtils.getAuthenticationResult()

          Comment


          • #20
            are the spring-security-3.0.5.RELEASE jars compatible with the Flex / BlazeDS components namely spring-flex-core-1.5.0.M2.jar ?
            Yes, it should be. But i use 1.0.3 since it is the latest production release.

            Comment


            • #21
              Still trying to authenticate...

              Amila, thanks again for the support -

              I want to grant privileges to users that I have in a database while using my teams standard method to verify NTLM/LDAP. They typically use a JSP page that calls another webapp, which I can't change. The JSP page calls this other servlet and has cookies passed back to it with usernames and some role information. Typically after authenticated the JSP page then redirects on to the next page (JSP) to begin a JSP based webapp with that cookie information. What I would like to do is continue on to my Flex app.

              I think you're right about the custom UserDetailsService, I probably don't need a UserDetailsService. As far as the DaoAuthenticationProvider ...

              Per the documentation section 6.1 :

              The most common approach to verifying an authentication request is to load the corresponding UserDetails and check the loaded password against the one that has been entered by the user. This is the approach used by the DaoAuthenticationProvider (see below).
              The loaded UserDetails object - and particularly the GrantedAuthoritys it contains - will be used when building the fully populated Authentication object which is returned from a successful authentication and stored in the SecurityContext.
              This sounds about right, but the next part confuses me. Are there methods I can call or values I can set on the current SecurityContext or Authentication and then continue on to Flex?

              My other thought, was something like this in JSP:
              Code:
              if(cookieAuthentication == true){
                  Authentication auth = SecurityContextHolder.getContext().getAuthentication();
                  // update the auth object (which is currently an AnonymousAuthenticationToken with a principal "anonymousUser")
                  
                  //Maybe this?
                  upat = new UsernamePasswordAuthenticationToken(
              	    "a474169","password",AuthorityUtils.createAuthorityList("ROLE_ADMIN")
                  );
                  SecurityContextHolder.getContext().setAuthentication(upat);
              
                  // OR instantiate a new Authentication object in the Security Context
                  
                  response.sendRedirect(referrer); // where referrer is hopefully flex-Main.html 
              	 
                  return; // Flex will then use the SecurityHelper to change the View and allow method invocation 
              }

              I think I'm getting closer! Thanks Amila & Spring Community!

              Comment


              • #22
                >>>Are there methods I can call or values I can set on the current SecurityContext or Authentication and then continue on to Flex?

                I dont think you want to do that.

                After you log in sucessfully , point to the flex file, so the flex file loads up(this is done in the spring security config xml file)
                One the flex file loads up all you need to worry about is remoting the ROLES from your java backend to flex mxml using <mx:RemoteObject>

                Comment


                • #23
                  Refactored...

                  @jaggernat & @amiladomingo

                  Alright, so I've refactored my code & config and I'm still just looking for some confirmation. The good news is, it looks like things are working!

                  My security-config.xml file:
                  Code:
                  <http auto-config="true">
                  	<intercept-url pattern="/index.html" filters="none" />
                  	<intercept-url pattern="/favicon.ico" filters="none" />
                  	<intercept-url pattern="/main.css" filters="none" />
                  	<intercept-url pattern="/jspErrorPage.jsp" filters="none" /> <!--  For error handling  -->
                  	<intercept-url pattern="/ldaplogin.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                  	<intercept-url pattern="/app-flex/**" access="ROLE_USER" />
                  
                  	<!-- FIXME: Be sure to remove these as they may expose sensitive info -->
                  	<intercept-url pattern="/Hidden.jsp" access="ROLE_ADMIN" />	<!-- For Spring Security debugging only -->
                  	<intercept-url pattern="/variables.jsp" filters="none" /> <!-- For Tomcat/Java debugging only -->
                  
                  	<form-login login-page="/ldaplogin.jsp" default-target-url="/app-flex/Main.html" 
                  		always-use-default-target="true"/>
                  </http>
                  My ldaplogin.jsp page:
                  Code:
                  if(cookieAuthentication == true){
                  	// The cookies that I have here include things like userid, first name, last name and the privileges they have
                  	sc =  (SecurityContextImpl)SecurityContextHolder.getContext();
                  	/*
                  	sc instance of: org.springframework.security.authentication.AnonymousAuthenticationToken
                  	Principal: anonymousUser; 
                  	Authenticated: true; 
                  	Granted Authorities: ROLE_ANONYMOUS
                  	*/
                  	if (sc != null){
                  		// Just using this for debuggin
                  		auth = SecurityContextHolder.getContext().getAuthentication();
                  	}
                  	// Instantiate a new Authentication object in the Security Context
                  	upat = new UsernamePasswordAuthenticationToken(ldaploginuserid,"password",AuthorityUtils.createAuthorityList("ROLE_USER","ROLE_ADMIN"));
                  
                  	// Wondering if there's a best-practice way to do this in JSP
                  	SecurityContextHolder.getContext().setAuthentication(upat);
                  
                  	log.info(upat.toString()); // For info only
                  
                  	response.sendRedirect(referrer); // Where referrer is "flex-Main.html"
                  	return; // Flex will then use the SecurityHelper to change the View and allow method invocation 
                  }
                  This all seems to be in working order:
                  - I can make a call to a remote object (SecurityHelper) from the Flex client and get the Authentication of the principal
                  - I can secure my interfaces via annotations like @Secured("ROLE_ADMIN")

                  Though, my security-config.xml file still has this in it (I've been converting the samples to fit my implementation needs):
                  Code:
                  <authentication-manager>
                  	<authentication-provider>
                  		<user-service>
                  			<user name="john" password="john" authorities="ROLE_USER" />
                  			<user name="admin" password="admin"
                  				authorities="ROLE_USER, ROLE_ADMIN, APP_ADMIN" />
                  			<user name="guest" password="guest" authorities="ROLE_GUEST" />
                  		</user-service>
                  	</authentication-provider>
                  </authentication-manager>
                  Do I need to create my own AuthenticationManager or AuthenticationProvider if my JSP seems to fit my need?

                  Thanks so much, you guys have been fantastic in helping me along.
                  - Brian

                  Comment

                  Working...
                  X