apache-flex - 如何检查 Spring Security 的用户身份验证并从 Flex 获取角色？

Question

我正在使用 Spring、Spring Security、BlazeDS、Flex 和 spring-flex。

我知道我可以调用channelSet.login()和 channelSet.logout() Hook 到 Spring Security 进行身份验证。 channelSet.authenticated显然只知道当前的 Flex session ，因为它总是以 false 开始，直到您调用 channelSet.login() .

我想做的事:

从 Flex 检查以了解用户是否已在 session 中。

如果是这样，我想要他们的用户名和角色。

更新
我只是想添加我在 brd6644 中使用的解决方案的详细信息的答案在下面，这样对于查找此内容的其他人来说可能会更容易。我用了 this StackOverflow 回答 SecurityContext可注入(inject)的。我不会在这个答案中重写代码，所以去看看 SecurityContextFacade .

securityServiceImpl.java

public class SecurityServiceImpl implements SecurityService {
    private SecurityContextFacade securityContextFacade;

    @Secured({"ROLE_PEON"})
    public Map<String, Object> getUserDetails() {
        Map<String,Object> userSessionDetails = new HashMap<String, Object>();

        SecurityContext context = securityContextFacade.getContext();
        Authentication auth = context.getAuthentication();
        UserDetails userDetails = (UserDetails) auth.getPrincipal();

        ArrayList roles = new ArrayList();
        GrantedAuthority[] grantedRoles = userDetails.getAuthorities();
        for (int i = 0; i < grantedRoles.length; i++) {
            roles.add(grantedRoles[i].getAuthority());
        }

        userSessionDetails.put("username", userDetails.getUsername());
        userSessionDetails.put("roles", roles);
        return userSessionDetails;
    }
}

安全上下文.xml

<security:http auto-config="true">
    <!-- Don't authenticate Flex app -->
    <security:intercept-url pattern="/flexAppDir/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <!-- Don't authenticate remote calls -->
    <security:intercept-url pattern="/messagebroker/amfsecure" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</security:http>

<security:global-method-security secured-annotations="enabled" />

<bean id="securityService" class="ext.domain.project.service.SecurityServiceImpl">
    <property name="securityContextFacade" ref="securityContextFacade" />
</bean>
<bean id="securityContextFacade" class="ext.domain.spring.security.SecurityContextHolderFacade" />

flexContext.xml

<flex:message-broker>
    <flex:secured />
</flex:message-broker>

<flex:remoting-destination ref="securityService" />
<security:http auto-config="true" session-fixation-protection="none"/>

FlexSecurityTest.mxml

<mx:Application ... creationComplete="init()">

    <mx:Script><![CDATA[
        [Bindable]
        private var userDetails:UserDetails; // custom VO to hold user details

        private function init():void {
            security.getUserDetails();
        }

        private function showFault(e:FaultEvent):void {
            if (e.fault.faultCode == "Client.Authorization") {
                Alert.show("You need to log in.");
                // show the login form
            } else {
                // submit a ticket
            }
        }
        private function showResult(e:ResultEvent):void {
            userDetails = new UserDetails();
            userDetails.username = e.result.username;
            userDetails.roles = e.result.roles;
            // show user the application
        }
    ]]></mx:Script>

    <mx:RemoteObject id="security" destination="securityService">
        <mx:method name="getUserDetails" fault="showFault(event)" result="showResult(event)" />
    </mx:RemoteObject>

    ...
</mx:Application>

Answer 1

如果您使用 Spring Blazeds integration ，您可以使用 org.springframework.flex.security.AuthenticationResultUtils 实现 getUserDetails 方法。

public Map<String, Object> getUserDetails() {  
 return AuthenticationResultUtils.getAuthenticationResult();
}