Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I check Spring Security for user authentication and get roles from Flex?

I'm using Spring, Spring Security, BlazeDS, Flex and spring-flex.

I know that I can call channelSet.login() and channelSet.logout() to hook into Spring Security for authentication. channelSet.authenticated apparently only knows about the current Flex session, as it always starts off as false, until you call channelSet.login().

What I want to do:

  1. Check from Flex to know if a user is already in a session.
  2. If so, I want their username and roles.

UPDATE
I just thought I'd add details of the solution I used from brd6644's answer below, so that this might be easier for someone else who looks this up. I used this StackOverflow answer to make the SecurityContext injectable. I won't be rewriting the code from that answer in this one, so go look at it for the SecurityContextFacade.

securityServiceImpl.java

public class SecurityServiceImpl implements SecurityService {
    private SecurityContextFacade securityContextFacade;

    @Secured({"ROLE_PEON"})
    public Map<String, Object> getUserDetails() {
        Map<String,Object> userSessionDetails = new HashMap<String, Object>();

        SecurityContext context = securityContextFacade.getContext();
        Authentication auth = context.getAuthentication();
        UserDetails userDetails = (UserDetails) auth.getPrincipal();

        ArrayList roles = new ArrayList();
        GrantedAuthority[] grantedRoles = userDetails.getAuthorities();
        for (int i = 0; i < grantedRoles.length; i++) {
            roles.add(grantedRoles[i].getAuthority());
        }

        userSessionDetails.put("username", userDetails.getUsername());
        userSessionDetails.put("roles", roles);
        return userSessionDetails;
    }
}


securityContext.xml

<security:http auto-config="true">
    <!-- Don't authenticate Flex app -->
    <security:intercept-url pattern="/flexAppDir/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <!-- Don't authenticate remote calls -->
    <security:intercept-url pattern="/messagebroker/amfsecure" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</security:http>

<security:global-method-security secured-annotations="enabled" />

<bean id="securityService" class="ext.domain.project.service.SecurityServiceImpl">
    <property name="securityContextFacade" ref="securityContextFacade" />
</bean>
<bean id="securityContextFacade" class="ext.domain.spring.security.SecurityContextHolderFacade" />


flexContext.xml

<flex:message-broker>
    <flex:secured />
</flex:message-broker>

<flex:remoting-destination ref="securityService" />
<security:http auto-config="true" session-fixation-protection="none"/>


FlexSecurityTest.mxml

<mx:Application ... creationComplete="init()">

    <mx:Script><![CDATA[
        [Bindable]
        private var userDetails:UserDetails; // custom VO to hold user details

        private function init():void {
            security.getUserDetails();
        }

        private function showFault(e:FaultEvent):void {
            if (e.fault.faultCode == "Client.Authorization") {
                Alert.show("You need to log in.");
                // show the login form
            } else {
                // submit a ticket
            }
        }
        private function showResult(e:ResultEvent):void {
            userDetails = new UserDetails();
            userDetails.username = e.result.username;
            userDetails.roles = e.result.roles;
            // show user the application
        }
    ]]></mx:Script>

    <mx:RemoteObject id="security" destination="securityService">
        <mx:method name="getUserDetails" fault="showFault(event)" result="showResult(event)" />
    </mx:RemoteObject>

    ...
</mx:Application>
like image 985
Buns of Aluminum Avatar asked Jul 22 '09 21:07

Buns of Aluminum


People also ask

How do I check Spring Security?

The first way to check for user roles in Java is to use the @PreAuthorize annotation provided by Spring Security. This annotation can be applied to a class or method, and it accepts a single string value that represents a SpEL expression. Before we can use this annotation, we must first enable global method security.


2 Answers

If you use Spring Blazeds integration , you can implement getUserDetails method using org.springframework.flex.security.AuthenticationResultUtils.

public Map<String, Object> getUserDetails() {  
 return AuthenticationResultUtils.getAuthenticationResult();
}
like image 189
user197852 Avatar answered Sep 21 '22 21:09

user197852


I would write a secured Spring service method that returns the current user's roles information. Let the Flex app invoke that when the application starts up. If you receive a FaultEvent due to a security error, then prompt the user to authenticate and use ChannelSet.login().

like image 38
cliff.meyers Avatar answered Sep 21 '22 21:09

cliff.meyers