Return-Path: 
 <users-return-5020-apmail-flex-users-archive=flex.apache.org@flex.apache.org>
X-Original-To: apmail-flex-users-archive@www.apache.org
Delivered-To: apmail-flex-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 27C0A101DC
	for <apmail-flex-users-archive@www.apache.org>;
 Fri, 31 Jan 2014 11:04:22 +0000 (UTC)
Received: (qmail 26442 invoked by uid 500); 31 Jan 2014 11:04:21 -0000
Delivered-To: apmail-flex-users-archive@flex.apache.org
Received: (qmail 26420 invoked by uid 500); 31 Jan 2014 11:04:21 -0000
Mailing-List: contact users-help@flex.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@flex.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@flex.apache.org>
List-Post: <mailto:users@flex.apache.org>
List-Id: <users.flex.apache.org>
Reply-To: users@flex.apache.org
Delivered-To: mailing list users@flex.apache.org
Received: (qmail 26408 invoked by uid 99); 31 Jan 2014 11:04:20 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 11:04:20 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of massimo.perani@gmail.com
 designates 209.85.160.41 as permitted sender)
Received: from [209.85.160.41] (HELO mail-pb0-f41.google.com) (209.85.160.41)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 11:04:14 +0000
Received: by mail-pb0-f41.google.com with SMTP id up15so4300343pbc.14
        for <users@flex.apache.org>; Fri, 31 Jan 2014 03:03:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=U4PYysrFbOim3r2uwb1qvpFuSfPVKJftYflDF+Qpocw=;
        b=yeOPi28dG8mZAJIaIurTNh+0wU+yisAWuMY3nRvzdOCN/CEgZ2DBJVjM1NOWaA7Bws
         eHymz7tLfmYUmKTjZrIDZXtPyN/cHdQtKdBDp68FBDbUqqMR2VGrLywLLmRxpRdd5T1r
         bEzao1yGjYBm5o8YeyGF+qLopBj68gfYarXzkY1SHud+L5/pOLagVYlWRFlahzyNqLn6
         OCmgtBVi96tWIB6JVYfDLyUi+jSlVH10qKb81z4uWf0Gi0Sa/sUel0Leioq96KbRxrW/
         N4+YOpKdotB2JlucXSNktLTu3aqgPqrN7+0bWlrBCxjRD+5PL2goLKtgszfx97qO5Jdq
         hJAA==
MIME-Version: 1.0
X-Received: by 10.68.75.9 with SMTP id y9mr20087986pbv.61.1391166232805; Fri,
 31 Jan 2014 03:03:52 -0800 (PST)
Received: by 10.68.231.228 with HTTP; Fri, 31 Jan 2014 03:03:52 -0800 (PST)
In-Reply-To: 
 <5bfb4df0f3c0496d9e4fa1d1660d3a7b@DBXPR05MB237.eurprd05.prod.outlook.com>
References: 
 <CAJFLjkN_7Tn+9W-RMZK6Qm2d2k4vtD5H0H-+_Br_RvY1dFR8oQ@mail.gmail.com>
	<d61670edaeb55ab70479930fced76849.squirrel@webmail.mobytech.it>
	<5bfb4df0f3c0496d9e4fa1d1660d3a7b@DBXPR05MB237.eurprd05.prod.outlook.com>
Date: Fri, 31 Jan 2014 12:03:52 +0100
Message-ID: 
 <CAJFLjkPxT+Zdsq2kXJScrXvaf-ZmnB6b5D68z_t=7YKTfZs2Ng@mail.gmail.com>
Subject: Re: How to securing Apache Flex / GraniteDS Apps with Spring security
From: Massimo Perani <massimo.perani@gmail.com>
To: users@flex.apache.org
Cc: "giuseppe.romano@mobytech.it" <giuseppe.romano@mobytech.it>
Content-Type: multipart/alternative; boundary=047d7b15aa1d21454204f1422128
X-Virus-Checked: Checked by ClamAV on apache.org

--047d7b15aa1d21454204f1422128
Content-Type: text/plain; charset=ISO-8859-1

Thank you Guys,
I give you some more detail,
I'm trying to use the same filter I used before for Rest Json,
in this filter I check for a token in http header

 public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException,
ServletException {


             *  // I don't know how to set this parameter in http header
from flex ???*
HttpServletRequest httpRequest = (HttpServletRequest) request;
 String authToken = httpRequest.getHeader("X-Authorization-Token");


String userName = TokenUtils.getUserNameFromToken(authToken);

if (userName != null) {

UserDetails userDetails = this.userService.loadUserByUsername(userName);

if (TokenUtils.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication =
 new UsernamePasswordAuthenticationToken(userDetails, null,
userDetails.getAuthorities());
authentication.setDetails(new
WebAuthenticationDetailsSource().buildDetails((HttpServletRequest)
request));
 SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
 chain.doFilter(request, response);
}



in my context.xml I defined:



<security:http
realm="Protected API"
use-expressions="true"
 auto-config="false"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint"
 authentication-manager-ref="authenticationManager">
<security:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER" />
 <security:intercept-url pattern="/graniteamf/**" access="hasRole('user')"
/>
</security:http>


    <security:global-method-security pre-post-annotations="enabled" />

<bean id="passwordEncoder"
class="com.myapp.security.SaltedSHA256PasswordEncoder">
 <constructor-arg value="secret" />
</bean>
 <security:authentication-manager id="authenticationManager">
<security:authentication-provider user-service-ref="userDao">
 <security:password-encoder
ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
 </security:authentication-manager>

<graniteds:security-service authentication-manager="authenticationManager"/>

<bean id="unauthorizedEntryPoint"
class="com.myapp.security.UnauthorizedEntryPoint" />

<bean class="com.myapp.security.AuthenticationTokenProcessingFilter"
id="authenticationTokenProcessingFilter">
<constructor-arg ref="userDao" />
</bean>


The Spring app starts and when I call the services from flex with graniteDS
the filter works,
but I don't know how to set the header parameter.
I think this is not the best practice to do that..
so I ask to the community witch is the best practice to secure my backend
Thanks so much.

Massimo.


2014-01-31 Christofer Dutz <christofer.dutz@c-ware.de>:

> Hi Giuseppe,
>
> I think this explains how to secure the Connection, but not how to
> integrate the security mechanism of graniteds with that of spring-security.
> When integrating GraniteDs with Sprin-Security I would expect
> Login-attemts to GraniteDS to utilize the Authentication components of
> SpringSecurity and whenever a Service is called from Flex, that
> SpringSecurity will handle the permissions to execute that Service while
> GraniteDS will take care of securing the Connection itself.
>
> Chris
>
> ________________________________________
> Von: Giuseppe Romano <giuseppe.romano@mobytech.it>
> Gesendet: Freitag, 31. Januar 2014 11:28
> An: users@flex.apache.org
> Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring
>  security
>
> Hi Massimo,
>
> look at
> http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security
>
> In that chapter is explained step-by-step how to setup the security
> environment.
>
> --
> Giuseppe Romano
> Skype name: giuseppe.romano.80
> Mobile: +39 3404900103
>
> On Fri, January 31, 2014 11:11 am, Massimo Perani wrote:
> Hi all,
> I built a Flex app (mobile & desktop) that calls a backend built in Spring
> and use GraniteDS to expose services.
>
> Now I'm trying to secure my services with Spring Security but I can't find
> a good example about it.
>
>
> I already exposed my services to other external application with SpringMVC
> (rest/json)
> there I used spring security with custom filter to check for a token in
> http header, but I can't use the same filter with GraniteDS servlet because
> from client side (Flex app) I can't set parameters into http header with
> GraniteDS...
>
> Can you give some advice about with type of authentication (basic, digest,
> custom...) to use and give me some good tutorial
> about securing Apache Flex application with GraniteDS?
>
> Thanks so much.
> Massimo
>
>
>
>


-- 
Massimo Perani

--047d7b15aa1d21454204f1422128--