1 Reply Latest reply on Sep 16, 2009 3:31 AM by jake_flex

    BlazeDS/Security/Spring/NonBlazeDS/NonSpring/Confusion Oh My

    rickcr Level 1

      I'm new to Flex (coming over from the pure JEE world.) One of the first things that is needed for any application is security authentication/authorization. I've been extremely disappointed, though, in the lack of good examples with best practices on how to handle this, or if there is a book that covers it well let me know and I'll purchase it.

      I'm working with BlazeDS at the moment (but not opposed to scrapping it.)

      I have managed to finally get a security setup using blazeds-spring integration working, but their forum is a ghost town so it makes me think that there aren't many people using it. The docs are also extremely vague. Had it not been for some stuff that I was able to pull from these two tutorials by the same author http://www.adobe.com/devnet/flex/articles/flex_security.html#ach-setscr  http://www.gridshore.nl/2009/05/24/integrate-flex-security-in-mate-using-the-spring-blazed s-integration-project/ I would have been completely lost. Even though it's 'mostly' working, so much is unknown to me, and because the reference doc http://static.springsource.org/spring-flex/docs/1.0.x/reference/html/index.html is so short it doesn't cover a lot of what is going on.

      I'm not even 100% certain I want to use Spring though (It seems to actually black-box too much and in some ways overcomplicate things with a lot of configuration), yet I want my application be portable across containers. Where are the examples on the best way to set things up? The blazeds reference doc chapter seems to gloss over a lot, and only confuses me a bit more. I'd like to see some real examples.

      As an example of some things that I'd like to see:

      1) When not using Spring security, where is a concrete implementation of handling authentication and authorization (with/without blazeDS - I just want a good best practice example of how things are handled)?

      2) How are people dealing with session time outs? (user clicking around in application and then they happen to make a server call but their session is gone. Do you simply poll every few minutes to keep the session alive?)

      3) Are people putting up a filter up before the blazeDS filter to check the user's session is valid? If the session isn't valid and you've set up a filter, what happens on the flex side of things if the filter finds an invalid session? It can only redirect for forward so how does it trigger the client flex app that it needs to invalidate its internal storage of an authenticated user and hence needs to redisplay the login page. I know how to set things up in a traditional java web app, but I'm a bit stumped here... I only have one main "FooBar.swf" file, so when the sesison filter realizes the user's session timed out where do I "go" - can I somehow just redirect to the same main page "FooBar.swf" and somehow Flex can be aware that "Hey ok some event happened so I need to invalidate my flex user and present the login page (login component)"


      Thanks for any suggestions/help on what to look at for best practices.

        • 1. Re: BlazeDS/Security/Spring/NonBlazeDS/NonSpring/Confusion Oh MyHi
          jake_flex Level 2

          Hi,

           

          Did you got any ideas on this one? As a newcomer to Flex/BlazeDS I'd like hear those?

           

          I'll add my thoughts to the discussion you started.

           

          2) How are people dealing with session time outs? (user clicking around in application and then they happen to make a server call but their session is gone. Do you simply poll every few minutes to keep the session alive?)

          I check the session in a filter for each request. If there's no valid session, the filter sends a response message to flex app which shows it as a Alert message.I'm not (yet) using blaze, but I don't see why it wouldn't work.

           

          If you want, you can configure the session timeout in the web.xml of your web app, so no need to poll. It would be nice to get asynchronous event from the server side when the session times out. This requires to use the pub/sub method of blaze or java messaging on a servlet.

           

          The web.xml of the blazeDS samples has the following lines

          <!-- Http Flex Session attribute and binding listener support -->
              <listener>
                  <listener-class>flex.messaging.HttpFlexSession</listener-class>
              </listener>
          

          To me this indicates that you can define a listener for the session somehow. It would be nice to know more about this.

           

          3) Are people putting up a filter up before the blazeDS filter to check the user's session is valid? If the session isn't valid and you've set up a filter, what happens on the flex side of things if the filter finds an invalid session? It can only redirect for forward so how does it trigger the client flex app that it needs to invalidate its internal storage of an authenticated user and hence needs to redisplay the login page. I know how to set things up in a traditional java web app, but I'm a bit stumped here... I only have one main "FooBar.swf" file, so when the sesison filter realizes the user's session timed out where do I "go" - can I somehow just redirect to the same main page "FooBar.swf" and somehow Flex can be aware that "Hey ok some event happened so I need to invalidate my flex user and present the login page (login component)"

          Why not just have different swfs? When the session is not valid, redirect to login.html (a wrapper for login component).

           

          If I have understood correctly, Flex uses HTTP GET method to communicate with the browser. So it might be possible to send parameters to the app after the filter. Also, using java script and external interface might be helpful here.