Spring-Security Blazeds and Flex

0
votes

Our application is configured with blazeds and spring-security and uses remoting-object tags to invoke methods.I have a feeling that the configuration is not proper. Is there any reference where i can understand the integration of all these 3 technologies.

The problem i am actuially facing is once after login the sesionid as seen in browser tool (Chrome's inspect element) dosnt change, where as spring-security says the session id changes once the user is authenticated.

<flex:message-broker>
<flex:remoting-service default-channels="my-cfamf-secure" />
    <flex:secured>
        <flex:secured-channel channel="my-cfamf-secure"
        access="ROLE_USER,ROLE_ADMIN,ROLE_SALES" />
    <flex:secured-endpoint-path pattern="**/messagebroker/**" access="ROLE_USER" />
</flex:secured>
</flex:message-broker>`

<security:http auto-config="true">
        <security:intercept-url pattern="/index.jsp"
            filters="none" access="ROLE_USER" />
        <security:intercept-url pattern="/**/*.swf"
            filters="none" />
        <security:intercept-url pattern="/**/*.jsp"
            filters="none" access="ROLE_USER" />
        <security:intercept-url pattern="/**" filters="none" />
        <security:logout invalidate-session="true"
            logout-success-url="/index.jsp" />
        <security:session-management session-fixation-protection="newSession">
        </security:session-management>
    </security:http>


<security:authentication-manager alias="_authenticationManager">
        <security:authentication-provider
            user-service-ref="userDetailsService">
        <security:password-encoder hash="md5" />
    </security:authentication-provider>
</security:authentication-manager>

<channel-definition id="my-cfamf-secure"
            class="mx.messaging.channels.SecureAMFChannel">
            <endpoint
                url="https://{server.name}:{server.port}/{context.root}/messagebroker/amf/cfamfsecure"
                class="flex.messaging.endpoints.SecureAMFEndpoint" />
            <properties>
                <polling-enabled>false</polling-enabled>
                <serialization>
                    <instantiate-types>true</instantiate-types>
                </serialization>
                <add-no-cache-headers>false</add-no-cache-headers>
                <invalidate-session-on-disconnect>true</invalidate-session-on-disconnect>
            </properties>
        </channel-definition>

This are my configuration

1
apache-flexspring-securityblazeds
Can you include your spring-security configuration in your question? In a basic setup that uses the security namespace for configuration, a SessionFixationProtectionStrategy is created that makes sure to create a new session upon succesfull authentication. Your question suggests there is something wrong with your config. - zagyi
Added the configurations used. Please check once - Kiran

1 Answers

0
votes

It seems you're using a very old version of Spring Security (version 2.x), consider upgrading to 3.x. It should be pretty easy with this kind of basic configuration, and it won't be easy to get support if you continue using the old one.

One tip though: your config inside <security:http> assigns filters="none" to all possible URLs, so I guess it actually won't do anything for any request, that's why your session management settings are ignored.