RSS
 

BlazeDS Custom Authentication

30 Apr

Here are the steps to roll your own BlazeDS Custom Authentication:

You’ll need to write a Java Class that implements the following class(es):

flex.messaging.security.LoginCommand;
flex.messaging.security.LoginCommandExt;

For example:

package com.dl.login;

import flex.messaging.security.LoginCommand;
import flex.messaging.security.LoginCommandExt;

import com.dl.login.UserVO;

public class LoginProxy implements LoginCommand,LoginCommandExt
{
public Principal doAuthentication(String username, Object attributes)
{

String password = (String)attributes;
//At this point you’d typically check against a datastore / LDAP / etc

if(username.equals(“riafan”) && password.equals(“mysecret”))
{
UserVO vo = new UserVO(username);
return vo;
}
return null;
}

public boolean doAuthorization(Principal user, List roles)
{

UserVO u = (UserVO)user;

if(u == null)
return false;

for(int i=0;i<roles.size();i++)
{
String role = (String)roles.get(i);
if(u.hasRole(role))
return true;
}
return false;
}

public boolean logout(Principal arg0) {
// TODO Auto-generated method stub
return false;
}

public void start(ServletConfig arg0) {
// TODO Auto-generated method stub

}

public void stop() {
// TODO Auto-generated method stub

}

public String getPrincipalNameFromCredentials(String arg0, Object arg1) {
// TODO Auto-generated method stub
return null;
}
}

In this example UserVO must implement java.security.Principal

package com.dl.login;

import java.security.Principal;

public class UserVO implements Principal
{

public String [] groups;
public String username;

public UserVO(String username)
{
this.username = username;
// Make sure we apply the array groups (roles) this user belongs to at some point 🙂
}

public String getName() {

return this.username;
}

public boolean hasRole(String role)
{
for(int i=0;i<groups.length;i++)
{
if(groups[i].equals(role))
return true;
}
return false;
}

}

Okay, now we just need to point the services-config.xml to our class
<security>

<login-command class=”com.dl.login.LoginProxy” server=”all”>
<!– a.k.a. true = per ‘tab’ authentication –>
<!– when set to true a browser refresh will also reset auth –>
<per-client-authentication>false</per-client-authentication>
</login-command>

<security-constraint id=”trusted”>
<auth-method>Basic</auth-method>
<roles>
<role>guests</role>
<role>accountants</role>
<role>employees</role>
<role>managers</role>
</roles>
</security-constraint>

</security>

That’s it.

To actually secure a destination, use the remoting-config.xml

<destination id=”AlertProxy” >
<properties>
<source>com.dl.alerts.AlertDAO</source>
<scope>application</scope>
</properties>

<security>
<security-constraint ref=”trusted”/>
</security>

</destination>

 
No Comments

Posted in Java

 

Leave a Reply

 

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image