I am looking for ways to provide authentication and authorization for a BlazeDS endpoint running on Tomcat 8.0.26, BlazeDS 4.7.1, JAVA 1.8
Everything is already configured to use a SecureAMFChannel with SSL. I am not using Spring Security. I have a database storing the salted hash of my users passwords. To clarify when I say authentication and authorization I mean the following: authentication: I know who you are. authorization: I know who you are and what you are able to access. I my case, if you are authenticated, you can access the system, it's fairly simple. Today I handle everything myself. User logs in from the main Flex page, I check the credentials and if they match I return success to the client and load the main application. Once logged into the application, every time a call is made to the server I check the database to see if the supplied hash matches and proceed. I know mx.messaging.ChannelSet has login and logout methods that tie to the login commands defined in services-config.xml. I have struggled to make sense of that approach, most of the examples online are either dead links pretty dated at this point. Does anyone use this approach in production? Another approach I have been thinking of taking is moving the login page to html, and then using a custom filter to do authentication in front of the MessageBrokerSerlvet defined in web.xml So if someone tries to access the BlazeDS endpoint and they are not authenticated access will be denied. Does anyone know of a more secure way to do it or have a link to a good example? Thanks, Justin
