This chapter discusses authentication and authorization mechanisms in Flamingo for Seam and Spring Security on the server side.
Authentication is the process by which a user proves his or her identity to a system.
There are 2 kinds of authentication in Flex: Basic and Custom. Basic authentication is similar to standard basic J2EE authentication implemented by the browser means. Custom authentication is similar to form-based authentication that requires a login form creation.
The authentication features provided by Seam Security are built upon JAAS. This kind of authentication uses a built-in JAAS login module, SeamLoginModule, which delegates authentication to one of Seam components. Seam supports HTTP and Digest authentication as well.
In Spring the standard mechanism via Spring Security (former Acegi Security System) is used. Exadel Flamingo supports Spring Security version 2.0.0 and higher. For more information about authentication providers for Spring Security see at
| http://static.springframework.org/spring-security/site/index.html |
Flamingo provides mapping between Flex and Seam authentication in the following way: Flex Basic authentication is mapped to Seam HTTP Basic authentication and Flex Custom authentication is mapped to JAAS. Examples of each authentication method can be found in flamingo-2.1.zip, “Examples” folder.
The aim of Flamingo is to support in Flex standard security mechanisms of Seam or Spring without any additional configurations. Flamingo does not require you to secure destinations as it is usually done in Flex. All security access restrictions are taken from Seam or Spring directly.
When you use Basic authentication to secure access to destinations in Flex, you usually secure the endpoints of the channels that these destinations use in the "web.xml" file. You then configure the destination to access the secured resource in order to be challenged for a user name (principal) and password (credentials). The web browser performs the challenge, which happens independently of Flex. The web application container authenticates the user's credentials.
With Flamingo you don't need to configure secure channels for basic authentication. If you have basic authentication applied on the server either via standard Java EE configuration in the "web.xml" file or via native Spring Security or Seam configuration, you don't need any additional settings in Flex.
For Seam, the only thing needed is to configure <web:authentication-filter> in "components.xml" or <security-constraint>in "web.xml" (see the "security-basic" sample). During the server call users will be able to see an authentication dialog.
In Seam authentication is configured in the "components.xml" file:
<web:authentication-filter url-pattern="/seam/resource/*" auth-type="basic"/>
Currently there is an issue related to Seam HTTP Basic authentication with using <web:authentication-filter>, that is likely fixed in Seam 2.1.0. Workaround for this will be to use standard J2EE Basic authentication configuration (<security-constraint>, <login-config> in "web.xml").
This is an example how you can configure basic authentication for Flex client in an application that uses Spring Security:
<http auto-config="true">
<intercept-url pattern="/flamingo/**" access="ROLE_USER" />
<intercept-url pattern="/**" filters="none" />
</http>
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_USER" />
<user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
See sample in "spring-security.xml" in demo "spring-flex-authentication-basic" in the "examples" folder.
When using custom authentication you should call certain methods on the server to perform the authentication itself. For custom authentication, Flex uses a custom login adapter, known as a login command, to check a user's credentials and log a principal into the application server. If you also want to use custom authorization, you must link the specified role references to roles that are defined in your application server's user store. Flamingo does not require you to configure roles for custom authentication/authorization as all necessary data is taken from the server configuration.
Seam
The standard approach to usage of custom authentication is the use of the identity component as shown in example 5.2.1.3 with the help of the CallSet component. After that, user will be logged on the server. As an alternative to this, you can use the setCredentials() method for the RemoteObject class (HessianService does not support this mechanism):
<mx:RemoteObject id="service" destination="identity"/>
<mx:Button label="Authenticate" click="service.setCredentials('username', 'password'); service.isLoggedIn()"/>Please note, that method setCredentials() does not perform its own server call, the call itself is performed during the isLoggedIn() method invocation. Remote object methods setCredentials() and logout() correspond to methods login() and logout() of the identity component. The identity.isLoggedIn() method can be used to verify whether the user is logged in.
Spring
There are two ways how you can use custom authentication for Spring:
1. Create a Spring Service bean with methods like "login", "doLogout", "isLoggedIn" that will be requested from Flex. This bean will perform authentication using Spring Security API.
2. Use methods "setCredentials", "logout" of the RemoteObject component. For example:
<mx:RemoteObject id="service" destination="myService"/>
<mx:Button label="Call secure method" click="service.setCredentials('username', 'password'); service.callMethod()"/>
In this example, before calling method callMethod the authentication will be performed on the server according to Spring Security configuration set in the application.
Method "logout" of RemoteObject will remove currently authenticated principal from the security context. Methods "setCredentials" and "logout" affect not only the destination they were called from but the whole application as well.
Authorization is the process of determining what types of activities a user is permitted to perform in a system.
Flamingo completely relies on and supports Seam authorization mechanism. Seam provides two modes of authorization:
simplified mode - this mode supports authentication services and simple role-based security checks
advanced mode - this mode supports all the features supported by the simplified mode, plus it offers rule-based security checks using JBoss Rules
In this mode you can check which roles a user currently logged on has and then deny or grant access to some resource. The roles are usually defined on the server side in the method described in the "components.xml" file:
<security:identity authenticate-method="#{authenticator.authenticate}"/>
After calling identity.login() you can check a role using the identity.hasRole() server call.
Checking Seam permission involves executing the rule engine, therefore it should be done on server. Typically you need to check permissions in the way described below:
<mx:Script>
<![CDATA[
private function permissionResultHandler(event:ResultEvent):void
{
if ( event.result ) {
Alert.show("You have permission");
} else {
Alert.show("You do not have permission");
}
}
]]>
</mx:Script>
<mx:RemoteObject id="identityService" destination="identity">
<mx:method name="hasPermission" result="permissionResultHandler(event)" />
</mx:RemoteObject>
<mx:Button label="Check permission" click="identityService.hasPermission('account', 'delete', null)"/>
There are several ways how you can configure authorization in an application using Spring Security 2.0. All these options can be set in the configuration file using the <global-method-security> element. They can be divided into two groups:
Annotation-based
Using AOP
For annotation-based way of configuration you can use either native @Secured annotation or use JSR-250 security annotations for Java 5 or higher.
For AOP you can declare Security Pointcuts using the <protect-pointcut> sub-element of <global-method-security>.
See samples in "spring-flex-authorization" in the "examples" folder.