4. Securing BlazeDS Destinations with Spring Security
Prev   Next

4. Securing BlazeDS Destinations with Spring Security

4.1. Introduction

Spring Security provides an extremely flexible alternative to the container-based security support provided out-of-the-box with BlazeDS. Spring BlazeDS Integration provides explicit integration support for incorporating Spring Security smoothly into your Flex/BlazeDS application. Spring Security provides a wealth of different configuration options, but rather than go into the many different combinations here, we'll leave most of that to the Spring Security documentation.

Here is a simple Spring Security starting configuration for use in conjunction with the explicit integration features provided by Spring BlazeDS Integration that should be a solid starting point for securing a typical Flex application: 

<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans 
                      http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                      http://www.springframework.org/schema/security 
                      http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> 
    
    <http entry-point-ref="preAuthenticatedEntryPoint" />
    
    <beans:bean id="preAuthenticatedEntryPoint" 
        class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
    
    <authentication-provider>
		<user-service>
	    	<user name="jeremy" password="atlanta" authorities="ROLE_USER, ROLE_ADMIN" />
	      	<user name="keith" password="melbourne" authorities="ROLE_USER" />
		</user-service>
	</authentication-provider>
    
</beans:beans>

With a typical Flex application, this approach is preferred to using Spring Security's auto-config setup. Auto-config sets up a number of features that typically are not needed with a Flex application. For instance, auto-config sets up a default intercept-url entry that requires authentication for all URL paths within the application. This does not work well for the needs of a typical BlazeDS setup as it would result in the server returning a 403 response code for un-authenticated calls to BlazeDS endpoints which the Flex client does not handle gracefully. (See Securing BlazeDS Channels by Endpoint URL Path for an alternative to intercept-url that generates proper AMF responses for the Flex client.) It is recommended to start simple as in this example, and add the additional features as needed.

We will assume the above configuration is in place for the remainder of the examples in this chapter.

Prev   Next
3.4. Exporting Beans for Remoting with @RemotingDestination Home 4.2. Configuring the Spring Security Integration