Sorry for the late response.... >> Does this process only work if we try to access a restricted resource? That is, if the first screen in my Flex app is the login page, can I post the form to one of my own services (remote object), manually do the handler/loginContext process as described in login.jsp below? Or does it need to be posted to this j_security_check? <<
You need to access a secure resource. The container will respond with a redirect to your login page where you have a form that submits to j_security_check. >> If this login module/context succeeds (login/commit), does it matter whether this was called through my own code or from this mysterious j_security_check? (BTW, what is j_security_check? A jsp, url to servlet handled by container, .... I can do the search on this myself, but if you want to answer, I'd certainly read it :-)) << After a successful login, the server will redirect the user to the originally requested secure resource. j_security_check is a token in J2EE web applications that represents the server's "page" for processing a form based authentication request. It's not something you write. When the server gets a request for it, it gets the value for j_username and j_password and attempts to authenticate the user based on whatever authentication scheme you have configured for the server/web app. >> Is there some standard way of handling an app that requires the user to login prior to doing anything? For example, I see the app being launched from a link/button on our web site. I want the login page to display. Do we have this link/button point to some fake (or real) protected resource to kick off the auth process? << That's exactly correct. The login link points to a secure page. In the case of an unauthenticated session, the user will get the login form. In the case of a previously authenticated session, the user will be taken right to the page. Carson ____________________________________________ Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 -----Original Message----- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Wednesday, February 15, 2006 11:28 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Thanks for the info. First, let me clarify that this is not how we intend to do login/auth. I was merely trying to get the LoginModule to fire without going through any server-side/flex/proxy. Does this process only work if we try to access a restricted resource? That is, if the first screen in my Flex app is the login page, can I post the form to one of my own services (remote object), manually do the handler/loginContext process as described in login.jsp below? Or does it need to be posted to this j_security_check? If this login module/context succeeds (login/commit), does it matter whether this was called through my own code or from this mysterious j_security_check? (BTW, what is j_security_check? A jsp, url to servlet handled by container, .... I can do the search on this myself, but if you want to answer, I'd certainly read it :-)) Is there some standard way of handling an app that requires the user to login prior to doing anything? For example, I see the app being launched from a link/button on our web site. I want the login page to display. Do we have this link/button point to some fake (or real) protected resource to kick off the auth process? As always, thanks for the education. Jim ------------------------------------------------- Jim Schneider KJ Interactive, Inc. 1-877-370-6906 1-612-605-5399 -----Original Message----- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Carson Hager Sent: Wednesday, February 15, 2006 12:41 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Actually, this doesn't look correct at all. You're trying to go about this manually and that is not how J2EE security works. For this to work, you have to integrate with the container which means configuring your servlet container to delegate all J2EE authentication/authorization to your JAAS module. After that, you then have to secure resources within your web application however that's done in your container. For things like Tomcat, this is done directly in web.xml. Your situation here will likely be different. If you are using form auth, you then point your flex form to post to j_security_check passing in j_username and j_password. If you are using basic auth, you will simply be prompted by the browser for userid/password. Regardless of which you choose, the order of operations in the J2EE world is the following. 1. User requests a secure resource 2. Server responds with either the page you have configured for credentials (Form auth) or with a request to the client(browser) to garner then login information (Basic auth). 3. User enters credentials. 4. If successful, you now have an authenticated session that the server is intimately familiar with. To answer the next question, you cannot force these credentials into J2EE authentication session manually. You have to go through the server's provided interfaces. Unfortunately, J2EE security is much too broad a subject to get into in this medium. I've atttempted to give you a brief outline of the process here so that you can pursue it within the context of your container and its capabilities. Given the frequency of the questions surrounding this topic, we have submitted this topic as a candidate for an upcoming DevNet article. Carson ____________________________________________ Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 -----Original Message----- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Wednesday, February 15, 2006 10:31 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Is this a valid test for this? I've verified that the login.jsp fires the JAAS login module and I do get the principal object back. In both jsps (login.jsp and verify.jsp), the user/principal information is null. (BTW, I've tried using the JBoss-supplied DatabaseServerLoginModule and my own to check for differences. None) Can we conclude from this that the JBoss JAAS module is not setting the principal information? Logintest.mxml { <mx:Application xmlns:mx="http://www.macromedia.com/2003/mxml" xmlns="*"> <mx:Panel width="100%" height="100%" title="Login Test"> <mx:VBox height="100%" width="100%"> <mx:Button label="Login" click="getUrl('login.jsp', 'LoginTest')"/> <mx:Button label="Verify" click="getUrl('verify.jsp', 'LoginTest')"/> </mx:VBox> </mx:Panel> </mx:Application> } Login.jsp (snippet) { <% Subject subject = new Subject(); UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password.toCharArray()); LoginContext loginContext = new LoginContext("employee", subject, handler); loginContext.login(); String user = request.getRemoteUser(); String principal = null; if (request.getUserPrincipal() != null) principal = request.getUserPrincipal().getName(); } %> Login Remote User: <%= user %><br> Login Principal: <%= principal %> } Verify.jsp { <% String user = request.getRemoteUser(); String principal = null; if (request.getUserPrincipal() != null) principal = request.getUserPrincipal().getName(); %> Verify Remote User: <%= user %><br> Verify Principal: <%= principal %> } ------------------------------------------------- Jim Schneider KJ Interactive, Inc. 1-877-370-6906 1-612-605-5399 -----Original Message----- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Matt Chotin Sent: Wednesday, February 15, 2006 11:19 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Right, basically attempt to remove Flex from the equation for the moment, get your JAAS module to fire using credentials you pass in using the JSP. Then after you've authenticated use the JSP to see if that newly created authenticated Principal is stored in the request. If it isn't there then the problem is bigger than RemoteObject. Matt -----Original Message----- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Carson Hager Sent: Wednesday, February 15, 2006 9:05 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) He's actually not suggesting either. He's suggesting creating a test JSP that returns the user principal objec to verify that the JSP is within an authenticated session. <%=request.getUserPrincipal().getName()%> It looks like you're going through a proxy which is using another "session". As I mentioned earlier, there are issues with the proxy and forwarding credentials from an existing session. Our context was the use of web services but this could very well be what you're seeing as well. Carson ____________________________________________ Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 -----Original Message----- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Wednesday, February 15, 2006 8:49 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Thanks for the responses. Sorry for my ignorance, but are you suggesting that the JSP simulate a login (invoking the loginContext/loginModule)? Or are you suggesting that the JSP set the UserPrincipal in the HTTP request (although I don't see a setter in the request interface API, which makes me wonder how JAAS injects the UserPrincipal into the request, but I can probably find that somewhere). To answer Matt's questions, no, I'm not sure JAAS successfully stores the principal, yes, the login module is being called, but I'll look at it more closely. Thanks again, Jim ------------------------------------------------- Jim Schneider EyeCodeRight, LLC 1-877-370-6906 1-612-605-5399 -----Original Message----- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wolf Sent: Wednesday, February 15, 2006 8:37 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) We have, as Carson mentioned, definately seen issues where the j_session_id is not properly propogated through the proxy. I would want to see, as Matt alludes to, do the credentials get propogated when we take the proxy out of the picture. I would create a simple JSP page which itself returns the UserPrincipal. Call that JSP from within your Flex app and read the value. -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In flexcoders@yahoogroups.com, "Matt Chotin" <[EMAIL PROTECTED]> wrote: > > You sure that JAAS successfully stores the Principal back in the user > request? If you did something similar via JSP would everything come > through correctly? I haven't played with JBoss but WebSphere for > example failed to store the authenticated principal in the request even > when I went through JAAS to login my user in. You traced to see that > your login module is called? > > > > ________________________________ > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Jim Schneider > Sent: Tuesday, February 14, 2006 2:12 PM > To: flexcoders@yahoogroups.com > Subject: FW: [flexcoders] setUsernamePassword and J2EE login (bounce) > > > > No one has any thoughts/ideas on this? > > > > ------------------------------------------------- > > Jim Schneider > > KJ Interactive, Inc. > > 1-877-370-6906 > > 1-612-605-5399 > > ________________________________ > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Jim Schneider > Sent: Saturday, February 04, 2006 12:01 PM > To: flexcoders@yahoogroups.com > Subject: RE: [flexcoders] setUsernamePassword and J2EE login > > > > I finally got back to looking at this. I Instrumented my code to look at > flashgateway.Gateway.getHttpRequest().getRemotePrincipal() and > getRemoteUser(). RemoteUser is empty and remote principal is null. I > see the userid/password credentials in the amf trace from the client > (setting UsernamePassword on the service), but nothing in the service. > > > > I'm using remote objects. Remote object is a spring bean. > > > > I've implemented a JAAS login module that appears to be functioning > correctly (loginContext succeeds). > > > > Using JBoss 4.0.x. > > > > Any thoughts? > > > > Thanks, > > > > Jim > > > > ________________________________ > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Carson Hager > Sent: Saturday, January 21, 2006 10:22 PM > To: flexcoders@yahoogroups.com > Subject: RE: [flexcoders] setUsernamePassword and J2EE login > > > > If you use standard J2EE auth to the container, you can get the remote > user provided you are not using the proxy. There is currently an issue > with the proxy not forwarding the cookie in most ( all that we've seen ) > circumstances. We have received a fix from Adobe on this that we are in > the process of testing. > > > > This being said, if you don't use the proxy, you'll be able to acccess > the user without issue from within your service implementations. Here's > the kicker. The AS2 VM doesn't not handle HTTP status code 500. It > stops parsing the HTTP response when it sees a 500 which means that you > will never be able to get at any data that occurs due to a SOAP Fault. > Per the web services spec, the container is required to return an HTTP > 500 status code when returning a fault. Effectively, you can't handle > SOAP faults when you don't use the proxy and you get that meaningless > error message that looks like it simply couldn't connect to the service. > This issue is "handled" by the proxy. It changes that HTTP status code > to 200 so that the flash player can parse the request. This is a kludge > if you ask me but that's where we are today. As a note, this is being > addressed in FP8.5 but the fix will very likely not ( according to Adobe > ) be fixed in earlier versions due to backward compatibility. > > > > > > Carson > > ____________________________________________ > > Carson Hager > Cynergy Systems, Inc. > http://www.cynergysystems.com <http://www.cynergysystems.com/> > > Email: [EMAIL PROTECTED] > Office: 866-CYNERGY > Mobile: 1.703.489.6466 > > > > > > > ________________________________ > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Matt Chotin > Sent: Saturday, January 21, 2006 7:37 PM > To: flexcoders@yahoogroups.com > Subject: RE: [flexcoders] setUsernamePassword and J2EE login > > I think you should be able to get it from the > flashgateway.Gateway.getHttpRequest().getRemotePrincipal() or > getRemoteUser(). > > > > ________________________________ > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Jim Schneider > Sent: Wednesday, January 18, 2006 8:32 AM > To: flexcoders@yahoogroups.com > Subject: [flexcoders] setUsernamePassword and J2EE login > > > > After calling setUsernamePassword on a service, is this information > "available" to the backend services (remote object or web service)? Or > perhaps after a J2EE/JAAS login? If so, how/where? > > > > We have a requirement to do a lot of logging of who's doing what in the > system and was wondering whether there are any alternatives to passing a > username/id with most/all APIs. > > > Thanks for any help. > > > > Jim > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: > http://www.mail-archive.com/flexcoders%40yahoogroups.com > > > > > SPONSORED LINKS > > Web site design development > <http://groups.yahoo.com/gads?t=ms&k=Web+site+design+development&w1=Web+ > site+design+development&w2=Computer+software+development&w3=Software+des > ign+and+development&w4=Macromedia+flex&w5=Software+development+best+prac > tice&c=5&s=166&.sig=L-4QTvxB_quFDtMyhrQaHQ> > > Computer software development > <http://groups.yahoo.com/gads?t=ms&k=Computer+software+development&w1=We > b+site+design+development&w2=Computer+software+development&w3=Software+d > esign+and+development&w4=Macromedia+flex&w5=Software+development+best+pr > actice&c=5&s=166&.sig=lvQjSRfQDfWudJSe1lLjHw> > > Software design and development > <http://groups.yahoo.com/gads?t=ms&k=Software+design+and+development&w1= > Web+site+design+development&w2=Computer+software+development&w3=Software > +design+and+development&w4=Macromedia+flex&w5=Software+development+best+ > practice&c=5&s=166&.sig=1pMBCdo3DsJbuU9AEmO1oQ> > > Macromedia flex > <http://groups.yahoo.com/gads?t=ms&k=Macromedia+flex&w1=Web+site+design+ > development&w2=Computer+software+development&w3=Software+design+and+deve > lopment&w4=Macromedia+flex&w5=Software+development+best+practice&c=5&s=1 > 66&.sig=OO6nPIrz7_EpZI36cYzBjw> > > Software development best practice > <http://groups.yahoo.com/gads?t=ms&k=Software+development+best+practice& > w1=Web+site+design+development&w2=Computer+software+development&w3=Softw > are+design+and+development&w4=Macromedia+flex&w5=Software+development+be > st+practice&c=5&s=166&.sig=f89quyyulIDsnABLD6IXIw> > > > > > > ________________________________ > > YAHOO! GROUPS LINKS > > > > * Visit your group "flexcoders > <http://groups.yahoo.com/group/flexcoders> " on the web. > > * To unsubscribe from this group, send an email to: > [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > * Your use of Yahoo! Groups is subject to the Yahoo! Terms of > Service <http://docs.yahoo.com/info/terms/> . > > > > ________________________________ > -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/