7

我正在使用 Spring、Spring Security、BlazeDS、Flex 和 spring-flex。

我知道我可以调用channelSet.login()channelSet.logout()连接到 Spring Security 进行身份验证。channelSet.authenticated显然只知道当前的 Flex 会话,因为它总是以false开始,直到您调用channelSet.login().

我想做的事:

  1. 从 Flex 检查以了解用户是否已在会话中。
  2. 如果是这样,我想要他们的用户名和角色。

更新
我只是想我会从下面的brd6644的答案中添加我使用的解决方案的详细信息,这样对于查找此内容的其他人来说可能会更容易。我使用这个StackOverflow 答案来制作SecurityContext可注射的。我不会在这个答案中重写代码,所以去看看它的SecurityContextFacade.

securityServiceImpl.java

public class SecurityServiceImpl implements SecurityService {
    private SecurityContextFacade securityContextFacade;

    @Secured({"ROLE_PEON"})
    public Map<String, Object> getUserDetails() {
        Map<String,Object> userSessionDetails = new HashMap<String, Object>();

        SecurityContext context = securityContextFacade.getContext();
        Authentication auth = context.getAuthentication();
        UserDetails userDetails = (UserDetails) auth.getPrincipal();

        ArrayList roles = new ArrayList();
        GrantedAuthority[] grantedRoles = userDetails.getAuthorities();
        for (int i = 0; i < grantedRoles.length; i++) {
            roles.add(grantedRoles[i].getAuthority());
        }

        userSessionDetails.put("username", userDetails.getUsername());
        userSessionDetails.put("roles", roles);
        return userSessionDetails;
    }
}


安全上下文.xml

<security:http auto-config="true">
    <!-- Don't authenticate Flex app -->
    <security:intercept-url pattern="/flexAppDir/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <!-- Don't authenticate remote calls -->
    <security:intercept-url pattern="/messagebroker/amfsecure" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</security:http>

<security:global-method-security secured-annotations="enabled" />

<bean id="securityService" class="ext.domain.project.service.SecurityServiceImpl">
    <property name="securityContextFacade" ref="securityContextFacade" />
</bean>
<bean id="securityContextFacade" class="ext.domain.spring.security.SecurityContextHolderFacade" />


flexContext.xml

<flex:message-broker>
    <flex:secured />
</flex:message-broker>

<flex:remoting-destination ref="securityService" />
<security:http auto-config="true" session-fixation-protection="none"/>


FlexSecurityTest.mxml

<mx:Application ... creationComplete="init()">

    <mx:Script><![CDATA[
        [Bindable]
        private var userDetails:UserDetails; // custom VO to hold user details

        private function init():void {
            security.getUserDetails();
        }

        private function showFault(e:FaultEvent):void {
            if (e.fault.faultCode == "Client.Authorization") {
                Alert.show("You need to log in.");
                // show the login form
            } else {
                // submit a ticket
            }
        }
        private function showResult(e:ResultEvent):void {
            userDetails = new UserDetails();
            userDetails.username = e.result.username;
            userDetails.roles = e.result.roles;
            // show user the application
        }
    ]]></mx:Script>

    <mx:RemoteObject id="security" destination="securityService">
        <mx:method name="getUserDetails" fault="showFault(event)" result="showResult(event)" />
    </mx:RemoteObject>

    ...
</mx:Application>
4

3 回答 3

3

如果你使用Spring Blazeds 集成,你可以使用 org.springframework.flex.security.AuthenticationResultUtils 实现 getUserDetails 方法。

public Map<String, Object> getUserDetails() {  
 return AuthenticationResultUtils.getAuthenticationResult();
}
于 2009-10-28T06:03:20.127 回答
2

我会编写一个安全的 Spring 服务方法来返回当前用户的角色信息。让 Flex 应用程序在应用程序启动时调用它。如果由于安全错误而收到 FaultEvent,则提示用户进行身份验证并使用 ChannelSet.login()。

于 2009-07-23T04:45:00.043 回答
0

看到这个博客,我在 Spring 有一个 flex 模块之前就遵循了这个,它很好地解决了这个问题。希望它会为您提供一些可能会有所帮助的宝石。

GridShore 博客

于 2009-07-24T14:23:12.680 回答