You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@flex.apache.org by Giuseppe Romano <gi...@mobytech.it> on 2014/01/31 11:28:05 UTC
Re: How to securing Apache Flex / GraniteDS Apps with Spring
security
Hi Massimo,
look at http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security
In that chapter is explained step-by-step how to setup the security environment.
--
Giuseppe Romano
Skype name: giuseppe.romano.80
Mobile: +39 3404900103
On Fri, January 31, 2014 11:11 am, Massimo Perani wrote:
Hi all,
I built a Flex app (mobile & desktop) that calls a backend built in Spring
and use GraniteDS to expose services.
Now I'm trying to secure my services with Spring Security but I can't find
a good example about it.
I already exposed my services to other external application with SpringMVC
(rest/json)
there I used spring security with custom filter to check for a token in
http header, but I can't use the same filter with GraniteDS servlet because
from client side (Flex app) I can't set parameters into http header with
GraniteDS...
Can you give some advice about with type of authentication (basic, digest,
custom...) to use and give me some good tutorial
about securing Apache Flex application with GraniteDS?
Thanks so much.
Massimo
AW: How to securing Apache Flex / GraniteDS Apps with Spring
security
Posted by Christofer Dutz <ch...@c-ware.de>.
Hmmm ... well I can't really confirm this. It's a one-time Setup cost you have to pay,
but then you can reuse that Setup as often as you want. I develop my application in pure Java
and have my maven build generate the ActionScript model from that. Now all I have to do
is simply use the classes that were generated by my build.
But as Long as you are developing web applications you will allways have more than pure-Java
(Ok ... If you were creating Java Applets this wouln't be the case). I really like to be able to run/debug/Profile
the real Thing and not have shiploads of Tools having to hide the Details of serious Framework hackery from me.
For me GWT is by far the most insane approach.
Chris
________________________________________
Von: Alain Ekambi <ja...@gmail.com>
Gesendet: Freitag, 31. Januar 2014 12:07
An: users@flex.apache.org
Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring security
Thats another reason why we went away from actionscript based flex
Development and leverage Java in the entire Stack. With actionscript there
are just too Many moving pieces
Am Freitag, 31. Januar 2014 schrieb Christofer Dutz :
> Hi Giuseppe,
>
> I think this explains how to secure the Connection, but not how to
> integrate the security mechanism of graniteds with that of spring-security.
> When integrating GraniteDs with Sprin-Security I would expect
> Login-attemts to GraniteDS to utilize the Authentication components of
> SpringSecurity and whenever a Service is called from Flex, that
> SpringSecurity will handle the permissions to execute that Service while
> GraniteDS will take care of securing the Connection itself.
>
> Chris
>
> ________________________________________
> Von: Giuseppe Romano <giuseppe.romano@mobytech.it <javascript:;>>
> Gesendet: Freitag, 31. Januar 2014 11:28
> An: users@flex.apache.org <javascript:;>
> Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring
> security
>
> Hi Massimo,
>
> look at
> http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security
>
> In that chapter is explained step-by-step how to setup the security
> environment.
>
> --
> Giuseppe Romano
> Skype name: giuseppe.romano.80
> Mobile: +39 3404900103
>
> On Fri, January 31, 2014 11:11 am, Massimo Perani wrote:
> Hi all,
> I built a Flex app (mobile & desktop) that calls a backend built in Spring
> and use GraniteDS to expose services.
>
> Now I'm trying to secure my services with Spring Security but I can't find
> a good example about it.
>
>
> I already exposed my services to other external application with SpringMVC
> (rest/json)
> there I used spring security with custom filter to check for a token in
> http header, but I can't use the same filter with GraniteDS servlet because
> from client side (Flex app) I can't set parameters into http header with
> GraniteDS...
>
> Can you give some advice about with type of authentication (basic, digest,
> custom...) to use and give me some good tutorial
> about securing Apache Flex application with GraniteDS?
>
> Thanks so much.
> Massimo
>
>
>
>
Re: How to securing Apache Flex / GraniteDS Apps with Spring security
Posted by Alain Ekambi <ja...@gmail.com>.
Thats another reason why we went away from actionscript based flex
Development and leverage Java in the entire Stack. With actionscript there
are just too Many moving pieces
Am Freitag, 31. Januar 2014 schrieb Christofer Dutz :
> Hi Giuseppe,
>
> I think this explains how to secure the Connection, but not how to
> integrate the security mechanism of graniteds with that of spring-security.
> When integrating GraniteDs with Sprin-Security I would expect
> Login-attemts to GraniteDS to utilize the Authentication components of
> SpringSecurity and whenever a Service is called from Flex, that
> SpringSecurity will handle the permissions to execute that Service while
> GraniteDS will take care of securing the Connection itself.
>
> Chris
>
> ________________________________________
> Von: Giuseppe Romano <giuseppe.romano@mobytech.it <javascript:;>>
> Gesendet: Freitag, 31. Januar 2014 11:28
> An: users@flex.apache.org <javascript:;>
> Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring
> security
>
> Hi Massimo,
>
> look at
> http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security
>
> In that chapter is explained step-by-step how to setup the security
> environment.
>
> --
> Giuseppe Romano
> Skype name: giuseppe.romano.80
> Mobile: +39 3404900103
>
> On Fri, January 31, 2014 11:11 am, Massimo Perani wrote:
> Hi all,
> I built a Flex app (mobile & desktop) that calls a backend built in Spring
> and use GraniteDS to expose services.
>
> Now I'm trying to secure my services with Spring Security but I can't find
> a good example about it.
>
>
> I already exposed my services to other external application with SpringMVC
> (rest/json)
> there I used spring security with custom filter to check for a token in
> http header, but I can't use the same filter with GraniteDS servlet because
> from client side (Flex app) I can't set parameters into http header with
> GraniteDS...
>
> Can you give some advice about with type of authentication (basic, digest,
> custom...) to use and give me some good tutorial
> about securing Apache Flex application with GraniteDS?
>
> Thanks so much.
> Massimo
>
>
>
>
AW: How to securing Apache Flex / GraniteDS Apps with Spring
security
Posted by Christofer Dutz <ch...@c-ware.de>.
When working with REST applications you actually target your Application Server with different URLs, which you can secure with diferent Spring-Secuity rules.
When using GraniteDS or BlazeDS however you are probably using an AMF Connection which usually has one fixed URL, which all requests use. So there is no
way to do any URL rule-based security.
If you want to secure your application you have to secure the Method calls themselves (http://krams915.blogspot.de/2010/12/spring-security-3-mvc-using-secured.html)
Chris
________________________________________
Von: Massimo Perani <ma...@gmail.com>
Gesendet: Freitag, 31. Januar 2014 12:03
An: users@flex.apache.org
Cc: giuseppe.romano@mobytech.it
Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring security
Thank you Guys,
I give you some more detail,
I'm trying to use the same filter I used before for Rest Json,
in this filter I check for a token in http header
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException,
ServletException {
* // I don't know how to set this parameter in http header
from flex ???*
HttpServletRequest httpRequest = (HttpServletRequest) request;
String authToken = httpRequest.getHeader("X-Authorization-Token");
String userName = TokenUtils.getUserNameFromToken(authToken);
if (userName != null) {
UserDetails userDetails = this.userService.loadUserByUsername(userName);
if (TokenUtils.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(userDetails, null,
userDetails.getAuthorities());
authentication.setDetails(new
WebAuthenticationDetailsSource().buildDetails((HttpServletRequest)
request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
chain.doFilter(request, response);
}
in my context.xml I defined:
<security:http
realm="Protected API"
use-expressions="true"
auto-config="false"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/graniteamf/**" access="hasRole('user')"
/>
</security:http>
<security:global-method-security pre-post-annotations="enabled" />
<bean id="passwordEncoder"
class="com.myapp.security.SaltedSHA256PasswordEncoder">
<constructor-arg value="secret" />
</bean>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider user-service-ref="userDao">
<security:password-encoder
ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<graniteds:security-service authentication-manager="authenticationManager"/>
<bean id="unauthorizedEntryPoint"
class="com.myapp.security.UnauthorizedEntryPoint" />
<bean class="com.myapp.security.AuthenticationTokenProcessingFilter"
id="authenticationTokenProcessingFilter">
<constructor-arg ref="userDao" />
</bean>
The Spring app starts and when I call the services from flex with graniteDS
the filter works,
but I don't know how to set the header parameter.
I think this is not the best practice to do that..
so I ask to the community witch is the best practice to secure my backend
Thanks so much.
Massimo.
2014-01-31 Christofer Dutz <ch...@c-ware.de>:
> Hi Giuseppe,
>
> I think this explains how to secure the Connection, but not how to
> integrate the security mechanism of graniteds with that of spring-security.
> When integrating GraniteDs with Sprin-Security I would expect
> Login-attemts to GraniteDS to utilize the Authentication components of
> SpringSecurity and whenever a Service is called from Flex, that
> SpringSecurity will handle the permissions to execute that Service while
> GraniteDS will take care of securing the Connection itself.
>
> Chris
>
> ________________________________________
> Von: Giuseppe Romano <gi...@mobytech.it>
> Gesendet: Freitag, 31. Januar 2014 11:28
> An: users@flex.apache.org
> Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring
> security
>
> Hi Massimo,
>
> look at
> http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security
>
> In that chapter is explained step-by-step how to setup the security
> environment.
>
> --
> Giuseppe Romano
> Skype name: giuseppe.romano.80
> Mobile: +39 3404900103
>
> On Fri, January 31, 2014 11:11 am, Massimo Perani wrote:
> Hi all,
> I built a Flex app (mobile & desktop) that calls a backend built in Spring
> and use GraniteDS to expose services.
>
> Now I'm trying to secure my services with Spring Security but I can't find
> a good example about it.
>
>
> I already exposed my services to other external application with SpringMVC
> (rest/json)
> there I used spring security with custom filter to check for a token in
> http header, but I can't use the same filter with GraniteDS servlet because
> from client side (Flex app) I can't set parameters into http header with
> GraniteDS...
>
> Can you give some advice about with type of authentication (basic, digest,
> custom...) to use and give me some good tutorial
> about securing Apache Flex application with GraniteDS?
>
> Thanks so much.
> Massimo
>
>
>
>
--
Massimo Perani
Re: How to securing Apache Flex / GraniteDS Apps with Spring security
Posted by Massimo Perani <ma...@gmail.com>.
Thank you Guys,
I give you some more detail,
I'm trying to use the same filter I used before for Rest Json,
in this filter I check for a token in http header
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException,
ServletException {
* // I don't know how to set this parameter in http header
from flex ???*
HttpServletRequest httpRequest = (HttpServletRequest) request;
String authToken = httpRequest.getHeader("X-Authorization-Token");
String userName = TokenUtils.getUserNameFromToken(authToken);
if (userName != null) {
UserDetails userDetails = this.userService.loadUserByUsername(userName);
if (TokenUtils.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(userDetails, null,
userDetails.getAuthorities());
authentication.setDetails(new
WebAuthenticationDetailsSource().buildDetails((HttpServletRequest)
request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
chain.doFilter(request, response);
}
in my context.xml I defined:
<security:http
realm="Protected API"
use-expressions="true"
auto-config="false"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint"
authentication-manager-ref="authenticationManager">
<security:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/graniteamf/**" access="hasRole('user')"
/>
</security:http>
<security:global-method-security pre-post-annotations="enabled" />
<bean id="passwordEncoder"
class="com.myapp.security.SaltedSHA256PasswordEncoder">
<constructor-arg value="secret" />
</bean>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider user-service-ref="userDao">
<security:password-encoder
ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<graniteds:security-service authentication-manager="authenticationManager"/>
<bean id="unauthorizedEntryPoint"
class="com.myapp.security.UnauthorizedEntryPoint" />
<bean class="com.myapp.security.AuthenticationTokenProcessingFilter"
id="authenticationTokenProcessingFilter">
<constructor-arg ref="userDao" />
</bean>
The Spring app starts and when I call the services from flex with graniteDS
the filter works,
but I don't know how to set the header parameter.
I think this is not the best practice to do that..
so I ask to the community witch is the best practice to secure my backend
Thanks so much.
Massimo.
2014-01-31 Christofer Dutz <ch...@c-ware.de>:
> Hi Giuseppe,
>
> I think this explains how to secure the Connection, but not how to
> integrate the security mechanism of graniteds with that of spring-security.
> When integrating GraniteDs with Sprin-Security I would expect
> Login-attemts to GraniteDS to utilize the Authentication components of
> SpringSecurity and whenever a Service is called from Flex, that
> SpringSecurity will handle the permissions to execute that Service while
> GraniteDS will take care of securing the Connection itself.
>
> Chris
>
> ________________________________________
> Von: Giuseppe Romano <gi...@mobytech.it>
> Gesendet: Freitag, 31. Januar 2014 11:28
> An: users@flex.apache.org
> Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring
> security
>
> Hi Massimo,
>
> look at
> http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security
>
> In that chapter is explained step-by-step how to setup the security
> environment.
>
> --
> Giuseppe Romano
> Skype name: giuseppe.romano.80
> Mobile: +39 3404900103
>
> On Fri, January 31, 2014 11:11 am, Massimo Perani wrote:
> Hi all,
> I built a Flex app (mobile & desktop) that calls a backend built in Spring
> and use GraniteDS to expose services.
>
> Now I'm trying to secure my services with Spring Security but I can't find
> a good example about it.
>
>
> I already exposed my services to other external application with SpringMVC
> (rest/json)
> there I used spring security with custom filter to check for a token in
> http header, but I can't use the same filter with GraniteDS servlet because
> from client side (Flex app) I can't set parameters into http header with
> GraniteDS...
>
> Can you give some advice about with type of authentication (basic, digest,
> custom...) to use and give me some good tutorial
> about securing Apache Flex application with GraniteDS?
>
> Thanks so much.
> Massimo
>
>
>
>
--
Massimo Perani
AW: How to securing Apache Flex / GraniteDS Apps with Spring
security
Posted by Christofer Dutz <ch...@c-ware.de>.
Hi Giuseppe,
I think this explains how to secure the Connection, but not how to integrate the security mechanism of graniteds with that of spring-security.
When integrating GraniteDs with Sprin-Security I would expect Login-attemts to GraniteDS to utilize the Authentication components of SpringSecurity and whenever a Service is called from Flex, that SpringSecurity will handle the permissions to execute that Service while GraniteDS will take care of securing the Connection itself.
Chris
________________________________________
Von: Giuseppe Romano <gi...@mobytech.it>
Gesendet: Freitag, 31. Januar 2014 11:28
An: users@flex.apache.org
Betreff: Re: How to securing Apache Flex / GraniteDS Apps with Spring security
Hi Massimo,
look at http://www.granitedataservices.com/public/docs/3.0.1/docs/reference/flex/graniteds-refguide-flex.html#remoting.security
In that chapter is explained step-by-step how to setup the security environment.
--
Giuseppe Romano
Skype name: giuseppe.romano.80
Mobile: +39 3404900103
On Fri, January 31, 2014 11:11 am, Massimo Perani wrote:
Hi all,
I built a Flex app (mobile & desktop) that calls a backend built in Spring
and use GraniteDS to expose services.
Now I'm trying to secure my services with Spring Security but I can't find
a good example about it.
I already exposed my services to other external application with SpringMVC
(rest/json)
there I used spring security with custom filter to check for a token in
http header, but I can't use the same filter with GraniteDS servlet because
from client side (Flex app) I can't set parameters into http header with
GraniteDS...
Can you give some advice about with type of authentication (basic, digest,
custom...) to use and give me some good tutorial
about securing Apache Flex application with GraniteDS?
Thanks so much.
Massimo