StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>I went ahead and download the BlazeDS source code and after some debugging I realized that it might have just been me and my expectations when it came to the login behavior. Still, I'm a little bit confused about it and maybe someone can clarify me in the actual process since BlazeDS documentation does not explain it in a clear way.</p> <p>My configuration is very simple, one amf destination for RemoteObejct usage and one security-constraint with the allowed roles. In this scenario I was expecting the ChannelSet.login to fail if the user does not include the expected roles. Instead, the login succeeds which, in my current design allows the user to proceed.</p> <p>After debugging I realized that TomcatLoginCommand.isUserInRole method is only called after a RemoteObject method is called but never during the ChangeSet.login command. To confirm it, I associated security-constraints with some methods of the destination (see below - as shown in the documentation). As expected, the RemoteObject method would not be called when logging in with a user that did not have the given roles but all was good if the role was present.</p> <pre><code><destination ...> ... <include-methods> <method name="fooMethod"/> <method name="barMethod" security-constraint="custom-admin-access"/> </include-methods> ... </destination> </code></pre> <p>Based on this, my questions still are: Is this the intended behavior? Shouldn't ChangeSet.login fail immediately if the authenticated user does not participate in the allowed set of roles?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload