我正在使用Spring,Spring Security,BlazeDS,Flex和spring-flex。
我知道我可以调用channelSet.login()和channelSet.logout()挂钩到Spring Security进行身份验证。 channelSet.authenticated显然只知道当前的Flex会话,因为它始终以 false 开头,直到您致电channelSet.login()。
我想做什么:
更新
我只是想在下面的brd6644的答案中添加我使用的解决方案的详细信息,这样对于那些查看此内容的人来说这可能会更容易。我使用this StackOverflow回答来使SecurityContext注入。我不会在这个代码中重写该答案的代码,所以请查看SecurityContextFacade。
securityServiceImpl.java
public class SecurityServiceImpl implements SecurityService {
private SecurityContextFacade securityContextFacade;
@Secured({"ROLE_PEON"})
public Map<String, Object> getUserDetails() {
Map<String,Object> userSessionDetails = new HashMap<String, Object>();
SecurityContext context = securityContextFacade.getContext();
Authentication auth = context.getAuthentication();
UserDetails userDetails = (UserDetails) auth.getPrincipal();
ArrayList roles = new ArrayList();
GrantedAuthority[] grantedRoles = userDetails.getAuthorities();
for (int i = 0; i < grantedRoles.length; i++) {
roles.add(grantedRoles[i].getAuthority());
}
userSessionDetails.put("username", userDetails.getUsername());
userSessionDetails.put("roles", roles);
return userSessionDetails;
}
}
securityContext.xml
<security:http auto-config="true">
<!-- Don't authenticate Flex app -->
<security:intercept-url pattern="/flexAppDir/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- Don't authenticate remote calls -->
<security:intercept-url pattern="/messagebroker/amfsecure" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</security:http>
<security:global-method-security secured-annotations="enabled" />
<bean id="securityService" class="ext.domain.project.service.SecurityServiceImpl">
<property name="securityContextFacade" ref="securityContextFacade" />
</bean>
<bean id="securityContextFacade" class="ext.domain.spring.security.SecurityContextHolderFacade" />
flexContext.xml
<flex:message-broker>
<flex:secured />
</flex:message-broker>
<flex:remoting-destination ref="securityService" />
<security:http auto-config="true" session-fixation-protection="none"/>
FlexSecurityTest.mxml
<mx:Application ... creationComplete="init()">
<mx:Script><![CDATA[
[Bindable]
private var userDetails:UserDetails; // custom VO to hold user details
private function init():void {
security.getUserDetails();
}
private function showFault(e:FaultEvent):void {
if (e.fault.faultCode == "Client.Authorization") {
Alert.show("You need to log in.");
// show the login form
} else {
// submit a ticket
}
}
private function showResult(e:ResultEvent):void {
userDetails = new UserDetails();
userDetails.username = e.result.username;
userDetails.roles = e.result.roles;
// show user the application
}
]]></mx:Script>
<mx:RemoteObject id="security" destination="securityService">
<mx:method name="getUserDetails" fault="showFault(event)" result="showResult(event)" />
</mx:RemoteObject>
...
</mx:Application>
答案 0 :(得分:3)
如果使用Spring Blazeds integration,则可以使用org.springframework.flex.security.AuthenticationResultUtils实现getUserDetails方法。
public Map<String, Object> getUserDetails() {
return AuthenticationResultUtils.getAuthenticationResult();
}
答案 1 :(得分:2)
我会写一个安全的Spring服务方法,它返回当前用户的角色信息。让Flex应用程序在应用程序启动时调用它。如果由于安全性错误而收到FaultEvent,则提示用户进行身份验证并使用ChannelSet.login()。
答案 2 :(得分:0)
看到这个博客,我在Spring之前有一个flex模块,这很好地解决了这个问题。希望它能为您提供一些可能有帮助的宝石。