How to secure a hybrid Spring MVC + Flex applicati

2019-05-10 23:57发布


I tried asking this on the Spring forums ( ) but did not get a response.

I'm working on a web application that has an (end user) user interface built in Flex and a management user interface built using Spring MVC. I'm trying to secure both interfaces and can get each one working separately, but not together.

I'm using a snapshot build of spring-flex-core 1.5.0 with Spring Security 3.1RC1 and Spring 3.1M1

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns=""

<!-- All Spring Security related configuration goes here -->

<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>

<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
    <security:anonymous enabled="false"/>

<bean id="entryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>

<security:http pattern="/favicon.ico" security="none"/>
<security:http pattern="/login*" security="none"/>
<security:http pattern="/logoutSuccess*" security="none"/>
<security:http pattern="/apollo/css/**" security="none"/>
<security:http pattern="/apollo/js/**" security="none"/>
<security:http pattern="/apollo/img/**" security="none"/>
<security:http pattern="/common/css/**" security="none"/>
<security:http pattern="/common/js/**" security="none"/>
<security:http pattern="/common/img/**" security="none"/>
<security:http pattern="/MoneyManager.swf" security="none"/>
<security:http pattern="/assets/**" security="none"/>
<security:http pattern="/index.jsp" security="none"/>

<security:http servlet-api-provision="true">

    <security:intercept-url pattern="/cms/*" access="ROLE_ADMIN"/>
    <security:intercept-url pattern="/cms/users/*" access="ROLE_ADMIN,ROLE_USER_MANAGER"/>
    <security:intercept-url pattern="/cms/content/*" access="ROLE_ADMIN,ROLE_CONTENT_MANAGER"/>        
    <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />

    <security:form-login login-page="/login.html" default-target-url="/home.html" 
                        always-use-default-target="false" authentication-failure-url="/login.html"/>

    <security:logout logout-url="/logout" logout-success-url="/default.html" />


<bean id="successfulLogInListener" class=""/>
<bean id="failedLogInListener" class=""/>

    <security:authentication-provider user-service-ref='userService'/>

If I include only the first http tag without the pattern attribute then the flex UI appears to authenticate successfully using Spring security. However if I include all the <http> tags then I get one of two errors depending on whether I use

<security:http  entry-point-ref="entryPoint">
    <security:anonymous enabled="false"/>

which gives

SEVERE: Exception sending context initialized event to listener instance of class  org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.parsing.BeanDefinitionParsingException:  Configuration problem: The filter chain map already contains this request matcher [Root  bean: class []; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null]. If you are using multiple <http> namespace elements, you must use a 'pattern' attribute to define the request patterns to which they apply.


   <security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
    <security:anonymous enabled="false"/>

which results in

SEVERE: Servlet /apollo threw load() exception
org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type   [] is defined: expected single matching bean but found 2: [,]

I'm obviously missing something but while the Spring Flex documentation describes how to configure a hybrid MVC+Flex application at the servlet level it appears to only consider security from the perspective of a flex-only application.

Can anyone suggest what I'm doing wrong?




One thing I've used before when dealing with the same issue was to have 2 separate DispatcherServlets:






You also need to update your security configuration by modifying the MVC paths to /spring/...

I'm almost sure that this isn't the best solution when you use SpringDS instead of BlazeDS. There's gotta be a more optimal way!

You can also try to remove:

<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
    <security:anonymous enabled="false"/>

And instead of that try using this:

<flex:message-broker mapping-order="1">
    <flex:mapping pattern="/messagebroker/*"/>
    <flex:message-service default-channels="amf, polling-amf, longpolling-amf" />
       <flex:secured-channel channel="amf" access="ROLE_SOME_ROLE" />

Keep in mind that the authentication should be done through the channelSet on the Flex client!