tags:

views:

998

answers:

2
Q: 

Spring-Flex BlazeDs Multi-User + Global Chat Messaging

I'm working on an application that allows users to send internal message to one-another.

I'll tell you what the current setup is and please help me figure out how to make it work or perhaps suggest another angle to take. We're using BlazeDS with Spring.

  • User A listens for messages on message topic Chat.A
  • User B listens for messages on message topic Chat.B
  • Both users listen for global messages (system-wide messages) on topic Chat.System

So we have a multi-topic consumer for the personal message topic and one for the global message topic.

So a couple of questions I have:

  1. Is it better to do it as two distinct consumers (that share the same handler function) or as one, multi-topic consumer?
  2. How do I check that the client A is actually the one listening to Chat.A and not just some one else that knows how to write BlazeDS clients? We have Spring Security in place, but how can I listen for subscription requests and block them if their user name (pulled from security context) doesn't match the sub-topic that they requested?

I've also read about selectors. Well, that looked promising, but again, how do I check that when a consumer uses selector="for == A || for == System that the consumer belongs to a client that has authenticated as that "for" user.

  1. How do selectors compare/contrast to sub-topics? What's the best situation for each of them?
+1  A: 

A selector is basically an expression you can use to filter which messages will be dispatched through your consumer. According to the docs, it uses SQL 92 conditional expression syntax:

http://livedocs.adobe.com/blazeds/1/blazeds%5Fdevguide/help.html?content=messaging%5F6.html

A subtopic is sort of a special case of a selector, filtering out messages whose "DSSubtopic" header don't match the provided value.

The important thing to understand with both of these is that the client determines which messages are sent to it, and as such it cannot be relied upon entirely for security.

To implement secure server-based filtering of messages based on an authenticated user's identity, see my answer to a related question here:

http://stackoverflow.com/questions/916437/flex-messaging-security/917189#917189

As far as multiple Consumers vs. MultiTopicConsumer, not sure there. They're both going to use the same underlying ChannelSet, so it ought not to have a big performance difference. I think it's mostly a question of whether it's convenient to have one event handler that responds to all messages from the MultiTopicConsumer or whether it's easier to have separate event handlers for each Consumer.

cliff.meyers  2009-09-27 03:23:07
Thank you for that answer. Is there a way to intercept a subscription request with an adapter or something, and at that point, we disallow access to a topic that they've requested if it doesn't match their user name?
davidemm  2009-09-27 05:35:27
A: 

I usually use subtopics for this. But if you do it that way make sure that you disable subscriptions to wildcard subtopics.

James Ward  2009-09-28 15:56:35
Thanks so much! I used your example to do what I needed. I was trying to examine subscription requests by looking at Object manage(CommandMessage commandMessage) (http://livedocs.adobe.com/livecycle/8.2/programLC/programmer/javadoc/flex/messaging/services/messaging/adapters/MessagingAdapter.html). I moved my security logic to the allowSubscribe(Subtopic subtopic) method and it worked like a charm!
davidemm  2009-09-29 16:35:59
Via Spring-Flex integration I used: <flex:message-destination id="my-messages" allow-subtopics="true" subtopic-separator="." service-adapter="MyMessagingAdapter"/> where "MyMessagingAdapter" is a reference to a bean. In the bean (adapter), I examine the subtopic and I make sure that there are no wildcards AND the lowest sub-topic matches the username pulled from the security context: SecurityContextHolder.getContext().getAuthentication().getName())
davidemm  2009-09-29 16:43:52

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.