flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Massimo Perani <massimo.per...@gmail.com>
Subject Re: How to securing Apache Flex / GraniteDS Apps with Spring security
Date Fri, 31 Jan 2014 11:03:52 GMT
Thank you Guys,
I give you some more detail,
I'm trying to use the same filter I used before for Rest Json,
in this filter I check for a token in http header

 public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException,
ServletException {


             *  // I don't know how to set this parameter in http header
from flex ???*
HttpServletRequest httpRequest = (HttpServletRequest) request;
 String authToken = httpRequest.getHeader("X-Authorization-Token");


String userName = TokenUtils.getUserNameFromToken(authToken);

if (userName != null) {

UserDetails userDetails = this.userService.loadUserByUsername(userName);

if (TokenUtils.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication =
 new UsernamePasswordAuthenticationToken(userDetails, null,
userDetails.getAuthorities());
authentication.setDetails(new
WebAuthenticationDetailsSource().buildDetails((HttpServletRequest)
request));
 SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
 chain.doFilter(request, response);
}



in my context.xml I defined:



<security:http
realm="Protected API"
use-expressions="true"
 auto-config="false"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint"
 authentication-manager-ref="authenticationManager">
<security:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER" />
 <security:intercept-url pattern="/graniteamf/**" access="hasRole('user')"
/>
</security:http>


    <security:global-method-security pre-post-annotations="enabled" />

<bean id="passwordEncoder"
class="com.myapp.security.SaltedSHA256PasswordEncoder">
 <constructor-arg value="secret" />
</bean>
 <security:authentication-manager id="authenticationManager">
<security:authentication-provider user-service-ref="userDao">
 <security:password-encoder
ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
 </security:authentication-manager>

<graniteds:security-service authentication-manager="authenticationManager"/>

<bean id="unauthorizedEntryPoint"
class="com.myapp.security.UnauthorizedEntryPoint" />

<bean class="com.myapp.security.AuthenticationTokenProcessingFilter"
id="authenticationTokenProcessingFilter">
<constructor-arg ref="userDao" />
</bean>


The Spring app starts and when I call the services from flex with graniteDS
the filter works,
but I don't know how to set the header parameter.
I think this is not the best practice to do that..
so I ask to the community witch is the best practice to secure my backend
Thanks so much.

Massimo.


2014-01-31 Christofer Dutz <christofer.dutz@c-ware.de>:

> Hi Giuseppe,
>
> I think this explains how to secure the Connection, but not how to
> integrate the security mechanism of graniteds with that of spring-security.
> When integrating GraniteDs with Sprin-Security I would expect
> Login-attemts to GraniteDS to utilize the Authentication components of
> SpringSecurity and whenever a Service is called from Flex, that
> SpringSecurity will handle the permissions to execute that Service while
> GraniteDS will take care of securing the Connection itself.
>
> Chris
>
> ________________________________________
> Von: Giuseppe Romano <giuseppe.romano@mobytech.it>
> Gesendet: Freitag, 31. Januar 2014 11:28
> An: users@flex.apache.org
> Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring
>  security
>
> Hi Massimo,
>
> look at
> http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security
>
> In that chapter is explained step-by-step how to setup the security
> environment.
>
> --
> Giuseppe Romano
> Skype name: giuseppe.romano.80
> Mobile: +39 3404900103
>
> On Fri, January 31, 2014 11:11 am, Massimo Perani wrote:
> Hi all,
> I built a Flex app (mobile & desktop) that calls a backend built in Spring
> and use GraniteDS to expose services.
>
> Now I'm trying to secure my services with Spring Security but I can't find
> a good example about it.
>
>
> I already exposed my services to other external application with SpringMVC
> (rest/json)
> there I used spring security with custom filter to check for a token in
> http header, but I can't use the same filter with GraniteDS servlet because
> from client side (Flex app) I can't set parameters into http header with
> GraniteDS...
>
> Can you give some advice about with type of authentication (basic, digest,
> custom...) to use and give me some good tutorial
> about securing Apache Flex application with GraniteDS?
>
> Thanks so much.
> Massimo
>
>
>
>


-- 
Massimo Perani

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message