Chris, Thanks for the link. I will check it out.
Justin On Mon, Sep 28, 2015 at 5:33 AM, Christofer Dutz <christofer.d...@c-ware.de> wrote: > Hi Justin, > > well authentication, channels, channelsets and blazeds is sort of a tricky > topic ;-) > I am currently using the ChannelSet login to login to my applications from > the flex client, am using a custom login filter to link that to > SpringSecurity. I am only using spring security to handle and store the > login in the current users session and am using custom Aspects to actually > do the protection. > I wrote down everything here: > > > https://dev.c-ware.de/confluence/display/PUBLIC/BlazeDS+per-client-authentication+and+Spring-Security > > Please give it a try. If you need any assistance, I'll be happy to be of > assistance. > > Chris > > ________________________________________ > Von: Justin Magnan <justin.mag...@magnantech.com> > Gesendet: Montag, 28. September 2015 02:27 > An: users@flex.apache.org > Betreff: Securing BlazeDS endpoint > > I am looking for ways to provide authentication and authorization for a > BlazeDS endpoint running on Tomcat 8.0.26, BlazeDS 4.7.1, JAVA 1.8 > > Everything is already configured to use a SecureAMFChannel with SSL. I am > not using Spring Security. > > I have a database storing the salted hash of my users passwords. > > To clarify when I say authentication and authorization I mean the > following: > > authentication: I know who you are. > authorization: I know who you are and what you are able to access. > > I my case, if you are authenticated, you can access the system, it's fairly > simple. > > Today I handle everything myself. User logs in from the main Flex page, I > check the credentials and if they match I return success to the client and > load the main application. > > Once logged into the application, every time a call is made to the server I > check the database to see if the supplied hash matches and proceed. > > I know mx.messaging.ChannelSet has login and logout methods that tie to the > login commands defined in services-config.xml. I have struggled to make > sense of that approach, most of the examples online are either dead links > pretty dated at this point. Does anyone use this approach in production? > > Another approach I have been thinking of taking is moving the login page to > html, and then using a custom filter to do authentication in front of the > MessageBrokerSerlvet defined in web.xml So if someone tries to access the > BlazeDS endpoint and they are not authenticated access will be denied. > > Does anyone know of a more secure way to do it or have a link to a good > example? > > Thanks, > Justin >
