Hi all ,
As I say in the title of my question, I don't succeed in configuring Spring Security... I've followed two articles written by James Ward or Jettro Coenradie but I still don't have it !
First I tried to make all this working in a fake project, and it worked well, thant I tried in the "real" project. The configuration files are exactly the same regarding Spring Security, but the real project fails.
My config In web.xml :
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/config/applicationContext.xml</param-value>
</context-param>
...
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
<servlet>
<servlet-name>Spring MVC Servlet Dispatcher</servlet-name>
<display-name>Spring MVC Servlet Dispatcher</display-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/config/webApplicationContext.xml</param- value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
In applicationContext.xml :
<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
<security:http entry-point-ref="preAuthenticatedEntryPoint">
<security:anonymous enabled="false"/>
</security:http>
<bean id="preAuthenticatedEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="arnaud" password="arnaud" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
In webApplicationContext.xml ceci :
<flex:message-broker>
<flex:secured />
</flex:message-broker>
And in each bean service :
<security:intercept-methods>
<security:protect method="*" access="ROLE_USER" />
</security:intercept-methods>
First I tried to replace this last piece of code by annotations @Secured("ROLE_USER"), which didn't work, that's why I used the security:intercept-methods and security:protect tags.
In my first fake project, when I launch my flex application (a simple datagrid retrieving a list of products), the products are not loaded and I have a FaultEvent dispatched, so Spring Security works.
In the second project, the real one, I have an error on deploy telling me that "*" (or "findAll" when I tried) is not a valid method name.
With
<security:protect method="com.blablabla.UserService.findAll" access="ROLE_USER" />
I no longer have this error, and I can launch my flex application.
But when I launch it, all my users (yes, in this second application I retrieve users, not products) are loaded in the datagrid ! Which means the security doesn't work at all.
It's driving me crazy !