Hi Justin, well authentication, channels, channelsets and blazeds is sort of a tricky topic ;-) I am currently using the ChannelSet login to login to my applications from the flex client, am using a custom login filter to link that to SpringSecurity. I am only using spring security to handle and store the login in the current users session and am using custom Aspects to actually do the protection. I wrote down everything here:
https://dev.c-ware.de/confluence/display/PUBLIC/BlazeDS+per-client-authentication+and+Spring-Security Please give it a try. If you need any assistance, I'll be happy to be of assistance. Chris ________________________________________ Von: Justin Magnan <justin.mag...@magnantech.com> Gesendet: Montag, 28. September 2015 02:27 An: users@flex.apache.org Betreff: Securing BlazeDS endpoint I am looking for ways to provide authentication and authorization for a BlazeDS endpoint running on Tomcat 8.0.26, BlazeDS 4.7.1, JAVA 1.8 Everything is already configured to use a SecureAMFChannel with SSL. I am not using Spring Security. I have a database storing the salted hash of my users passwords. To clarify when I say authentication and authorization I mean the following: authentication: I know who you are. authorization: I know who you are and what you are able to access. I my case, if you are authenticated, you can access the system, it's fairly simple. Today I handle everything myself. User logs in from the main Flex page, I check the credentials and if they match I return success to the client and load the main application. Once logged into the application, every time a call is made to the server I check the database to see if the supplied hash matches and proceed. I know mx.messaging.ChannelSet has login and logout methods that tie to the login commands defined in services-config.xml. I have struggled to make sense of that approach, most of the examples online are either dead links pretty dated at this point. Does anyone use this approach in production? Another approach I have been thinking of taking is moving the login page to html, and then using a custom filter to do authentication in front of the MessageBrokerSerlvet defined in web.xml So if someone tries to access the BlazeDS endpoint and they are not authenticated access will be denied. Does anyone know of a more secure way to do it or have a link to a good example? Thanks, Justin
