Spring Security provides an extremely flexible alternative to the container-based security support provided out-of-the-box with BlazeDS. Spring BlazeDS Integration provides explicit integration support for incorporating Spring Security smoothly into your Flex/BlazeDS application. Spring Security provides a wealth of different configuration options, but rather than go into the many different combinations here, we'll leave most of that to the Spring Security documentation.
Here is a simple Spring Security starting configuration for use in conjunction with the explicit integration features provided by Spring BlazeDS Integration that should be a solid starting point for securing a typical Flex application:
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <http entry-point-ref="preAuthenticatedEntryPoint" /> <beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" /> <authentication-provider> <user-service> <user name="jeremy" password="atlanta" authorities="ROLE_USER, ROLE_ADMIN" /> <user name="keith" password="melbourne" authorities="ROLE_USER" /> </user-service> </authentication-provider> </beans:beans>
With a typical Flex application, this approach is preferred to using Spring Security's auto-config setup. Auto-config sets up a number of
features that typically are not needed with a Flex application. For instance, auto-config sets up a default intercept-url
entry that
requires authentication for all URL paths within the application. This does not work well for the needs of a typical BlazeDS setup as it would result in
the server returning a 403 response code for un-authenticated calls to BlazeDS endpoints which the Flex client does not handle gracefully. (See
Securing BlazeDS Channels by Endpoint URL Path for an alternative to intercept-url
that generates proper AMF responses for the Flex client.)
It is recommended to start simple as in this example, and add the additional features as needed.
We will assume the above configuration is in place for the remainder of the examples in this chapter.