Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Securing Flex + Java web application

Presentation discrubing how Flex + Java web application can be secured using Spring Security, Spring BlazeDS Integration, Spring LDAP and Flexible Chimp frameworks
by

Andriy Halyasovskyy

on 23 May 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Securing Flex + Java web application

Spring Security
"Spring Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on application that use Spring."
Securing Flex + Java web
application

What do we need for this?
You're done!
Now you secured your Flex application using Spring Security framework!
First of all we need to make Flex and Java to make friends!
+
=
Flex front-end
Java back-end
"BlazeDS is the server-based Java remoting and web messaging technology that enables developers to easily connect to back-end distributed data and push data in real-time to Adobe Flex and Adove AIR applications for more responsive rich Internet applications (RIA) experiences"
So what is BlazeDS?
Or in more details
Spring BlazeDS Integration
framework
As we will use Spring Framework - we will also make use of Spring BlazeDS Integration
"Spring BlazeDS Integration is a new addition to the Spring portfolio, and a component of the complete Spring Web stack. This project's purpose is to make it easier to build Spring-powered RIA using Adobe Flex as the front-end client. It aims to achive this purpose by providing first-class support for using the open source Adobe BlazeDS project and its powerful remoting and messaging facilities in combination with the familiar Spring programming model."
How to make it work?
Very easy!
1. Add MessageBroker definition to you Web App Context
(this will bootstrap all required Spring beans)
In the simplest case its just one tag <flex:message-broker />
1
2. Configure channel in services-config.xml
which will be used by Message Broker
2
3. Map incoming requests to Message Broker in web.xml
3
You're done!
Now you can connect any Java object with Flex Remote object
And call methods of Java object in Flex!
What about security?
Major capability areas
Authentication
Web URL authorization
Method invocation authorization
Channel security
... and more
Human user detection
Domain instance based security (ACLs)
WS-Security (via Spring Web Services)
Flow Authorization (via Spring Web Flow)
Spring Portfolio
AcpectJ
JA-SIG CAS
JOSSO
NTLM via JCIFS
OpenID
SiteMinder
Atlassian Crowd
jCaptcha
RFC 1945, 2617 etc
Major containers (for exampe Tomcat, JBoss, etc)
JAAS
Jasypt
Grails and Trails
Mule
DWR
AppFuse
AndroMDA
<http>
<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<!-- REST support -->
<intercept-url pattern="user/**" method="POST" access="ROLE_SUPERVISOR" />
</http>

These elements are parsed top-to-bottom
Put your most specific patterns at the top
Put your "catch all" or "wildcard" patterns last
<intercept-url> element registers FilterSecurityInterceptor
And also registers a filter chain for specified URL
URL authorization is not enough
Method authorization diagramm
Spring Security EL example
<global-method-security jsr250-annotations="enabled" />

public interface MyBean {

@PreAuthorize("hasRole('ROLE_TELLER') and (#account.ballance + #amount >= -#account.overdraft)")
void post(Account account, float amount);
}
URL authorization is often not enough:
Not at 1 to 1 relationship to resources, think about Print Views
/listCustomers.html and print.view?page=listCustomers

Maybe you don't have URLs (not a Web application)
Or you have one URL for different AJAX-actions (only the headers are different)
<intercept-url />
Form login
Most applications use simple form login

Default settings:
Login page: /spring_security_login
Failure page: /spring_security_login?login_error
Post to: /j_spring_security_check

Spring Security auto-renders a login page
If you don't specify a custom login page URL
Basic authentication
Defined in RFC 1945 and 2617
Sent over HTTP-headers
Commonly used with remoting protocols
Remember Base64 is not encrypted!
You should therefor send over HTTPS
What this user is allowed to do in the system?
Method authorization
Implemented using AOP (so compatible with Spring AOP or AspectJ)
Interceptors can be declared using @JSR250 annotations or @Secured annotations (deprecated)
Via XML-based declarations
Via AspectJ pointcut expressions
Via Spring EL (Expression Language) annotations
@JSR250 (official standard) and @Secured
<global-method-security jsr250-annotations="enabled" />

@DenyAll
public class MyBeanImpl {
@RolesAllowed("ROLE_USER")
BigDecimal getSpringFanClubSize() {/* ... */}
}

public interface MyBean {
@Secured("ROLE_USER")
BigDecimal getSpring FanClubSize();
}

Remark: Though @Secured annotations has been deprecated it is still the only way to add security to interfaces!
Instance based XML
Simply decorate your XML beans definitions

<bean id="target" class="MyBeanImpl">
<intercept-methods>
<protect method="MyBean.set*" access="ROLE_ADMIN" />
<protect method="MyBean.get*" access="ROLE_USER" />
</intercept-methods>
</bean>
AspectJ pointcut, class based
<global-method-security>

<protect-pointcut expression="execution(* *.get*(..))" access="ROLE_USER"/>
<protect-pointcut expression="execution(* *.set*(..))" access="ROLE_ADMIN" />

</global-method-security>
Spring Security Expression Language annotations
@PreAuthorize

@PostAuthorize

@PreFilter

@PostFilter
Spring Security EL support
hasRole(String)
hasAnyRole(String...)
hasPermission(String)
isAnonymous
isRememberMe
isFullyAuthenticated
authentication
permitAll
denyAll
access to the arguments and return object
It plays nicely with others...
Key concepts
Ok than, how to secure Flex+Java app?
It can be extreamly simple!
1
Secure the channel
Just add <secured/> tag to your Spring Message Broker definition:

<flex:message-broker>
<flex:secured />
</flex:message-broker>

This will cause any channels used by Message Broker to throw access denied exception if unauthorized access happens
2
Add Spring Security filter to web.xml:

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Handle security scenarios at Flex
3
Now accessing Remote Object in Flex will require to make authorization (throgh custom implemented login form)
Spring Security
"Spring Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on application that use Spring."
Is there any way to improve
Flex-side security?
Flexible Chimp
"Chimp is permission based filtering component for Adobe Flex and AIR. Applications implement Chimp by adding metadata withing the Flex UIComponents. Based on the metadata it will remove components completely, enable/disable, and update visibility"
How does it work?
First you add Chimp SWC file to your Flex project and then load Chimp before any components are loaded:

private function preinitializeHandler(event:Event):void {
Chimp.load(null);
}
Fill Chimp with user granted roles
Use metadata to implement security scheme
Now you can easily define which controls can be seen or accessible by admin, user, etc:

<mx:Metadata>
[Protected(permissions="admin", inPermissionAction="visible", componentId="adminButton")]
[Protected(permissions="admin", notInPermissionAction="removeChild", componentId="box2")]
[Protected(permissions="user", inPermissionAction="enable",componentId="updateButton")]
</mx:Metadata>

<mx:Button id="adminButton" label="Admin button" visible="false" />
<mx:Button id="updateButton" label="Update button" enable="false" />
...
That's it!
Now you should know how Flex + Java application can be secured!
Resources
http://beta.parleys.com/#sl=20&st=5&id=37
http://www.viddler.com/explore/oredev/videos/22
http://static.springsource.org/spring-security/site/docs/2.0.x/reference/springsecurity.html
http://static.springsource.org/spring-flex/site/docs/1.0.x/reference/html/index.html
http://www.springbyexample.org/static/1.03/html/index.html
http://www.mindtheflex.com/?p=67
http://www.gridshore.nl/2009/05/24/integrate-flex-security-in-mate-using-the-spring-blazeds-integration-project
http://www.adobe.com/devnet/flex/articles/flex_security.html
http://www.adobe.com/devnet/flex/articles/flex_enterprise_security.html
"If I can't picture it, I can't understand it"
A. Einstein
Full transcript