Jai’s Weblog – Tech, Security & Fun…

Tech, Security & Fun…

  • Jaibeer Malik

    Jaibeer Malik
  • View Jaibeer Malik's profile on LinkedIn
  • Subscribe

  • Feedburner

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 29 other followers

  • Archives

  • Categories

  • Stats

    • 379,210
  • Live Traffic

Flex: Enterprise security implementation using Chimp, permission based filtering component

Posted by Jai on August 28, 2009

This post covers how you can implement enterprise security solution for flex applications. You can implement flex side security using Chimp which is permission based filtering of flex components using metadata and Spring Security on the server side and integrating the two.

This is part of the series of posts:

Flex then, now & tomorrow – From a java developer’s perspective
Flex: Cairngorm (MVC), SpringActionscript (IOC) and other Cairngorm Extensions
Flex: SpringActionscript (IOC) & SpringActionscript Cairngorm Extension Sample Code Examples
Flex: Cairngorm View Notifications Strategies, Responders from Command to View
Flex: Choosing the right flex data transfer strategy and designing the application accordingly
Flex Tips&Tricks

to cover different strategies in flex development using Cairngorm framework to solve different practical problems.

Consider an enterprise application where you need to have security on both flex side and server side. You want access control on flex side and depending on user roles you would like to create, remove, hide, enable particular view components in the application. Similarly, have access control on the server side that user having specific roles only would be able to use some service, package or call some particular methods.

There is very nice article by Ryan on Enterprise security for Flex which covers the spring security integration and flex side security implementation using chimp.

Server Side Security

Consider that you are using Spring BlazeDS for you flex applications for the back end. And the Spring Security is very good option to go ahead with (also if you have already worked and comfortable with acegi-security :)).

We won’t cover much here related to the back end security implementation but feel free to explore how to get started with spring security.

Client Side Security

If it would have been server side processing on runtime and create flex components based on user access control and update client accordingly🙂, well that is not the case.

Lets say we have an enterprise application where user is part of some group and having different roles/permissions.

In terms of security implementation, what I need is the 3 A’s (Authentication, Authorization and Access Control) system. Lets see how we can achieve this using our own strategy and using some other available library for this.

Some Custom Implementation

Lets say if you need to implement it on the client side then how would you handle it yourself in your application. In very simple scenarios, you would authenticate the user and retrieve all the permissions for the group which the user is part of. Store the roles in the application somewhere and on every operation like component creation or any other event handling you would explicitly check if the user is having that role or not and based on which you control the view component states.

May be if you are using Cairngorm along with Presentation Model design etc. then make it a bit more complex and do the trick.

I would suggest not to go to those complications until and unless you have some specific requirements.

Chimp

You would like to give a thought to Chimp which is

Chimp is permission based filtering component for Adobe Flex and AIR. Applications implement Chimp by adding metadata within the Flex UI components. Based on the metadata it will remove components completely, enable/disable, and update visibility.

It provides you the support to implement security on client side based on permission filtering by adding metadata.

Getting Started:

Flex Builder/Eclipse: Include chimp swc file in your project.

Maven pom entry: Add the downloaded file to you repository separately.


<!-- Flex Security -->
 <dependency>
      <groupId>com.gorillalogic</groupId>
      <artifactId>chimp</artifactId>
      <version>0.2</version>
      <type>swc</type>
 </dependency>

Chimp Example: Have a look at the chimp example how it works.

Set up using Flex builder:

Flex Builder: Add following compiler arguments to add metadata entry


-locale en_US -keep-as3-metadata+=Protected 

Maven pom entry: If you are using flexmojos-maven-plugin to build the project, please provide following configuration parameter to add new metadata.


<keepAs3Metadatas>
<param>Protected</param>
</keepAs3Metadatas>

Authentication and Permissions loading:

Think of a complex scenario like you have separate authentication and authorization systems and separate services for the job.

Lets say you need to check the credentials first and based on that get the user details and user roles. In Cairngorm how would you handle it, imagine that the first screen itself contains different view based on your roles.

Now, your login process becomes two-three step process. First is authentication and then get user details based on login name and get user roles for the logged in user.


...
...
var callbacks:IResponder=new mx.rpc.Responder(login_check_success, login_check_fault);

new CheckLoginCredentialsEvent(userName.text, password.text, callbacks).dispatch();

private function login_check_success(info:Object):void
 {
         if (model.loginSuccess)
           {
                var usrDetailsCallback:IResponder=new mx.rpc.Responder(getUserDetailsSuccess, login_check_fault);
                new GetUserDetailsEvent(userName.text, usrDetailsCallback).dispatch();
           }
         else
          {
                Alert.show(“User not Authorized!!!”));
          }
 }

private function getUserDetailsSuccess(data:Object):void
 {
       var usrRolesCallback:IResponder=new mx.rpc.Responder(getUserRolesSuccess, login_check_fault);
       new GetUserRolesEvent(model.loggedInUser, usrRolesCallback).dispatch();
 }

private function getUserRolesSuccess(data:Object):void
 {
        //Create Main application view here.
       //import com.gorillalogic.security.Chimp;
       //The Success command will load the Chimp.load(permissions)
       //or you can do that here in view only
 }

...
...

You can use callback methods as described in my earlier posts.

The sample code shown above covers the three step process. You can do the separate fault handling for each step using the callback methods.

The same thing you can also do with the event sequence based on some provided trigger criteria for the next event.

Based on the requirement you can plan how to load the different components and permission loading. The only thing you need to take into account is that the permissions should be loaded before loading any component using the Protected metadata, rest you can do programmatic.

Using permissions as metadata inside view components:


<mx:Metadata>
        [Protected(permissions="PERM_CREATE_USER",inPermissionAction="visible",componentId="createUserButton")]
        [Protected(permissions="PERM_MODIFY_USER",inPermissionAction="enable",componentId="modifyUserButton")]
</mx:Metadata>

<mx:Button label="Create User" id="createUserButton" click="createUser();" visible="false"/>
<mx:Button label="Modify User" id="modifyUserButton" click="modifyUser();" enabled="false" />
...
...

It  is as simple as it looks. And what different things you can do with the components “Based on the metadata it will remove components completely, enable/disable, and update visibility

Flex side security (Chimp) integration with server side security (Spring Security)

You can integrate the Chimp on flex side to the spring security on the server side.

Have a look at Configuring the Spring Security Integration to configure the server side for the flex integration part.

To integrate on the flex side you need to create the secured channel set. If you look at my previous post you can see that while using Cairngorm and SprinActionscript you are injecting the loginService as remote objects inside your LoginDelegate through context file.

LoginDelegate:

For more clarifications, look at previous posts.


//Old implementation to check Credetials
//public function checkLoginCredentials(userName:String,password:String) : void
//{
//         var call : Object = service.checkLoginCredentials(userName,password);
//         call.addResponder( responder );
//}

//New Implementation for secured channel set

public function checkLoginCredentials(userName:String,password:String) : void
 {
        var call : Object = service.channelSet.login(userName,password);
        call.addResponder( responder );
 }
...
...

CheckLoginCredentialsCommand:

The same command can be used check the user credentials and load the permissions retrieved as the authorities.


public class CheckLoginCredentialsCommand extends AbstractResponderCommand
{
		...
		override public function result( result : Object ) : void
		{
			model.loggedInState = "LoginSuccessfull";
			//Retrieve authorities from result using event.result.authorities
			//And load Chimp.load(
<permissions>);
		}
		...
		...
}

Now in your view component you can have only one callback method for the login process.

Based on your application design, in case you are using presentation model for controlling the view states, you can load chimp permission in command and can also update the presentation model here only.

I hope this will at least can give you a kick start to implement and integrate the security for your flex application and rest you can twist around that suits you.

Feel free to share your experiences in implementing security for flex applications and other spring integration issues.

3 Responses to “Flex: Enterprise security implementation using Chimp, permission based filtering component”

  1. naoufel1986 said

    Thanks that help, Good work
    For those who use ant to build project, you should add under mxmlc tag

  2. You made some good points there. I did a search on the topic and found most people will agree with your blog.
    thanks.
    Enterprise Application Development USA

  3. Assaf said

    Hi great example!
    Is it possible to create permissions on menu items? I want to enable/disable different part of my menu..

    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: