4. Securing BlazeDS Destinations with Spring Security

4.1. Introduction

Spring Security provides an extremely flexible alternative to the container-based security support provided out-of-the-box with BlazeDS. Spring BlazeDS Integration provides explicit integration support for incorporating Spring Security smoothly into your Flex/BlazeDS application. Spring Security provides a wealth of different configuration options, but rather than go into the many different combinations here, we'll leave most of that to the Spring Security documentation.

As of version 1.0.2, Spring BlazeDS Integration also supports both Spring Security versions 2 and 3. The Spring Security version being used will be detected at startup time and the proper integration support automatically installed. Note that if you were previously customizing/extending any of the classes in the org.springframework.flex.security package, you will need to switch to the versions in the org.springframework.flex.security3 package in order to be compatible with Spring Security 3.

A simple Spring Security 2 configuration

Here is a simple Spring Security starting configuration for use in conjunction with the explicit integration features provided by Spring BlazeDS Integration that should be a solid starting point for securing a typical Flex application:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    <http entry-point-ref="preAuthenticatedEntryPoint" />
    <beans:bean id="preAuthenticatedEntryPoint" 
        class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
	    	<user name="jeremy" password="atlanta" authorities="ROLE_USER, ROLE_ADMIN" />
	      	<user name="keith" password="melbourne" authorities="ROLE_USER" />

With a typical Flex application, this approach is preferred to using Spring Security's auto-config setup. Auto-config sets up a number of features that typically are not needed with a Flex application. For instance, auto-config sets up a default intercept-url entry that requires authentication for all URL paths within the application. This does not work well for the needs of a typical BlazeDS setup as it would result in the server returning a 403 response code for un-authenticated calls to BlazeDS endpoints which the Flex client does not handle gracefully. (See Securing BlazeDS Channels by Endpoint URL Path for an alternative to intercept-url that generates proper AMF responses for the Flex client.) It is recommended to start simple as in this example, and add the additional features as needed.

A simple Spring Security 3 configuration

Here is an equivalent starting configuration using the Spring Security 3 schema:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http entry-point-ref="entryPoint">
        <anonymous enabled="false"/>
    <beans:bean id="entryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
            <user name="john" password="john" authorities="ROLE_USER" />
            <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
            <user name="guest" password="guest" authorities="ROLE_GUEST" />


Enabling the Spring Security filter chain in web.xml

For a typical setup with Spring Security, it is critical to remember to enable the Spring Security filter chain by adding the appropriate entry to web.xml:




We will assume the above configuration is in place for the remainder of the examples in this chapter. For additional details on the many options available in configuring and using Spring Security, please refer to that project's documentation.