First off I'm new to Flex (and new to using BlazeDS.) I come from a Java background and have been messing around with BlazeDS-SpringIntegrtion wiht some limited success. What I find interesting is that all Spring does is seem to add an extra layer of complication in dealing with security and handling roles etc. Sure I'm sure some of you love it, but man, the documentation is sparse and the example in the testdrive app doesn't even really cover security much at all (in fact it's currently not even working, you have to modify the code.)
My question is this...
Do any of you simply handle your security by simply checking the session when communication is made to your server side components? It just seems so simple (like a standard webapp) that I must be missing something? If using BlazeDS, you can either grab the Session from your business component, or simply have a filter get hit before the blaze one and check there. If the session is valid store user creditionals in the session. If not, return an error and have the UI present a login screen. After successful login return back any roles and store them on the client side (along with storing what you need server side as well.)
If you need to scale, you could do things different ways (check a token vs a db lookup etc.), but lets ignore that for now. If you need to control access to urls you can easily do that in your filter as well (make sure access to /secure/** has a proper role etc.)
Is the above a typical approach to take when developing Flex applications? Thanks for your thoughts on this.