When working with REST applications you actually target your Application Server with different URLs, which you can secure with diferent Spring-Secuity rules. When using GraniteDS or BlazeDS however you are probably using an AMF Connection which usually has one fixed URL, which all requests use. So there is no way to do any URL rule-based security.
If you want to secure your application you have to secure the Method calls themselves (http://krams915.blogspot.de/2010/12/spring-security-3-mvc-using-secured.html) Chris ________________________________________ Von: Massimo Perani <[email protected]> Gesendet: Freitag, 31. Januar 2014 12:03 An: [email protected] Cc: [email protected] Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring security Thank you Guys, I give you some more detail, I'm trying to use the same filter I used before for Rest Json, in this filter I check for a token in http header public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { * // I don't know how to set this parameter in http header from flex ???* HttpServletRequest httpRequest = (HttpServletRequest) request; String authToken = httpRequest.getHeader("X-Authorization-Token"); String userName = TokenUtils.getUserNameFromToken(authToken); if (userName != null) { UserDetails userDetails = this.userService.loadUserByUsername(userName); if (TokenUtils.validateToken(authToken, userDetails)) { UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails((HttpServletRequest) request)); SecurityContextHolder.getContext().setAuthentication(authentication); } } chain.doFilter(request, response); } in my context.xml I defined: <security:http realm="Protected API" use-expressions="true" auto-config="false" create-session="stateless" entry-point-ref="unauthorizedEntryPoint" authentication-manager-ref="authenticationManager"> <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" /> <security:intercept-url pattern="/graniteamf/**" access="hasRole('user')" /> </security:http> <security:global-method-security pre-post-annotations="enabled" /> <bean id="passwordEncoder" class="com.myapp.security.SaltedSHA256PasswordEncoder"> <constructor-arg value="secret" /> </bean> <security:authentication-manager id="authenticationManager"> <security:authentication-provider user-service-ref="userDao"> <security:password-encoder ref="passwordEncoder"></security:password-encoder> </security:authentication-provider> </security:authentication-manager> <graniteds:security-service authentication-manager="authenticationManager"/> <bean id="unauthorizedEntryPoint" class="com.myapp.security.UnauthorizedEntryPoint" /> <bean class="com.myapp.security.AuthenticationTokenProcessingFilter" id="authenticationTokenProcessingFilter"> <constructor-arg ref="userDao" /> </bean> The Spring app starts and when I call the services from flex with graniteDS the filter works, but I don't know how to set the header parameter. I think this is not the best practice to do that.. so I ask to the community witch is the best practice to secure my backend Thanks so much. Massimo. 2014-01-31 Christofer Dutz <[email protected]>: > Hi Giuseppe, > > I think this explains how to secure the Connection, but not how to > integrate the security mechanism of graniteds with that of spring-security. > When integrating GraniteDs with Sprin-Security I would expect > Login-attemts to GraniteDS to utilize the Authentication components of > SpringSecurity and whenever a Service is called from Flex, that > SpringSecurity will handle the permissions to execute that Service while > GraniteDS will take care of securing the Connection itself. > > Chris > > ________________________________________ > Von: Giuseppe Romano <[email protected]> > Gesendet: Freitag, 31. Januar 2014 11:28 > An: [email protected] > Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring > security > > Hi Massimo, > > look at > http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security > > In that chapter is explained step-by-step how to setup the security > environment. > > -- > Giuseppe Romano > Skype name: giuseppe.romano.80 > Mobile: +39 3404900103 > > On Fri, January 31, 2014 11:11 am, Massimo Perani wrote: > Hi all, > I built a Flex app (mobile & desktop) that calls a backend built in Spring > and use GraniteDS to expose services. > > Now I'm trying to secure my services with Spring Security but I can't find > a good example about it. > > > I already exposed my services to other external application with SpringMVC > (rest/json) > there I used spring security with custom filter to check for a token in > http header, but I can't use the same filter with GraniteDS servlet because > from client side (Flex app) I can't set parameters into http header with > GraniteDS... > > Can you give some advice about with type of authentication (basic, digest, > custom...) to use and give me some good tutorial > about securing Apache Flex application with GraniteDS? > > Thanks so much. > Massimo > > > > -- Massimo Perani
