RSS
 

BlazeDS Custom Authentication

30 Apr

Here are the steps to roll your own BlazeDS Custom Authentication:

You’ll need to write a Java Class that implements the following class(es):

flex.messaging.security.LoginCommand;
flex.messaging.security.LoginCommandExt;

For example:

package com.dl.login;

import flex.messaging.security.LoginCommand;
import flex.messaging.security.LoginCommandExt;

import com.dl.login.UserVO;

public class LoginProxy implements LoginCommand,LoginCommandExt
{
public Principal doAuthentication(String username, Object attributes)
{

String password = (String)attributes;
//At this point you’d typically check against a datastore / LDAP / etc

if(username.equals(“riafan”) && password.equals(“mysecret”))
{
UserVO vo = new UserVO(username);
return vo;
}
return null;
}

public boolean doAuthorization(Principal user, List roles)
{

UserVO u = (UserVO)user;

if(u == null)
return false;

for(int i=0;i<roles.size();i++)
{
String role = (String)roles.get(i);
if(u.hasRole(role))
return true;
}
return false;
}

public boolean logout(Principal arg0) {
// TODO Auto-generated method stub
return false;
}

public void start(ServletConfig arg0) {
// TODO Auto-generated method stub

}

public void stop() {
// TODO Auto-generated method stub

}

public String getPrincipalNameFromCredentials(String arg0, Object arg1) {
// TODO Auto-generated method stub
return null;
}
}

In this example UserVO must implement java.security.Principal

package com.dl.login;

import java.security.Principal;

public class UserVO implements Principal
{

public String [] groups;
public String username;

public UserVO(String username)
{
this.username = username;
// Make sure we apply the array groups (roles) this user belongs to at some point :)
}

public String getName() {

return this.username;
}

public boolean hasRole(String role)
{
for(int i=0;i<groups.length;i++)
{
if(groups[i].equals(role))
return true;
}
return false;
}

}

Okay, now we just need to point the services-config.xml to our class
<security>

<login-command class=”com.dl.login.LoginProxy” server=”all”>
<!– a.k.a. true = per ‘tab’ authentication –>
<!– when set to true a browser refresh will also reset auth –>
<per-client-authentication>false</per-client-authentication>
</login-command>

<security-constraint id=”trusted”>
<auth-method>Basic</auth-method>
<roles>
<role>guests</role>
<role>accountants</role>
<role>employees</role>
<role>managers</role>
</roles>
</security-constraint>

</security>

That’s it.

To actually secure a destination, use the remoting-config.xml

<destination id=”AlertProxy” >
<properties>
<source>com.dl.alerts.AlertDAO</source>
<scope>application</scope>
</properties>

<security>
<security-constraint ref=”trusted”/>
</security>

</destination>

 
No Comments

Posted in Java

 

Leave a Reply

 

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word