Re: [flexcoders] Custom authentication in a destination

[Xavi Beumala]

Hi Matt,On 4/17/06, Matt Chotin <[EMAIL PROTECTED]> wrote:
















You definitely need the <roles> in
the constraint, otherwise there's nothing to test for.

 

Why are you not using the login command we
provided for 5.5?  You would also need to copy the flex-tomcat-common.jar into
the common/lib directory as specified in step 1, but then it should work.  The
one we provide is flex.messaging.security.TomcatLoginCommand.I forgot to mention I  also copied flex-tomcat-common.jar into common/lib. The reason why I use a custom login, I'm still playing with fes2 so maybe I'm wrong, is because I have a huge java application in the backend. This application manages its own classloaders and its own JAAS modules to manage authentication and authorization.
I think I've been able to solve the classloader issue with a custom filter applyied to MessageBrokerServlet. This filter simply changes the classloader through Thread.currentThread().setContextClassLoader() Is this the good way?
For the authentication and authorization I thought the best way would be to implement a custom loginCommand. Otherwise I won't be able to run any existing service on the server side. When using as2 and openAMF I've a custom openAMF invoker which in resume invokes a 
Subject.doAs statement. But I have no idea where to do this in FES.BTW when I add <roles> in the security-constraint (using default roles, username and passwords provided by tomcat) and using setCredentials I receive a 
flex.messaging.security.SecurityException: Login required before authorization can proceed.The client side code I'm using:<code><?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" xmlns="*" layout="absolute">    <mx:Script>        <![CDATA[            import 
mx.rpc.events.ResultEvent;            import mx.rpc.events.FaultEvent;                        private function send():void {                db.setCredentials("tomcat","tomcat");                
db.test();            }                        private function onFault (event:FaultEvent):void {                trace ("onFault");            }                        private function getTest (event:ResultEvent):void {
                trace ("onResult");            }        ]]>    </mx:Script>        <mx:RemoteObject id="db" destination="sampleDest" fault="onFault(event)">
        <mx:method name="test" showBusyCursor="true" result="getTest(event)"/>    </mx:RemoteObject>        <mx:VBox x="65" y="11">        <mx:Button click="send()"/>
    </mx:VBox>    </mx:Application></code>What can be wrong?Thanks so much!X.
Matt

 









From:
flexcoders@yahoogroups.com [mailto:
flexcoders@yahoogroups.com] On Behalf Of Xavi Beumala
Sent: Sunday, April 16, 2006 3:30
AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] Custom
authentication in a destination



 

Hi all,

I'm trying to secure a remoting destination with a
custom class as stated at http://livedocs.macromedia.com/labs/1/flex20beta2/00001546.html


The steps I've followed are:
   · Create a custom class which
implements flex.messaging.security.LoginCommand with the methods start, stop,
doAuthentication, doAuthorization and logout.
   · Add a destination definition in
flex-remoting-service.xml:

    <destination
id="sampleDest">
       
<properties>
       
    <source>com.code4net.business.PhotoService</source>
       
    <stateful>true</stateful> 
       
</properties>
        
       
<security>
           
<security-constraint ref="sample-users" />
       
</security>
    </destination>

  · Add a security definition tag in
flex-enterprise-service.xml:
    <security>
       
<security-constraint id="sample-users">
           
<auth-method>Custom</auth-method>
       
</security-constraint>

        <login-command
class="com.code4net.loginModules.CustomLogin"
server="Tomcat"/>
    </security>


   · Place flex-tomcat-server.jar in
server/lib (NOT shared/lib) (as stated in
<fes_install_dir>/resources/security/tomcat/readme.txt 
     (I'm running tomcat 5.5)
   · Copy context.xml in web application
under the META-INF directory

The problem is that with this configuration the
destination isn't being secured and I can execute services on it normally. If I
add a <roles> tag inside the security-constraint then I receive a
security-exception eventhough I'm invoking setCredentials and
setRemoteCredentials from the clientSide (using default users and roles defined
in tomcat-users.xml).

On the other hand if I run tomcat in debug mode
from eclipse, any of the methods of CustomLogin class are invoked.

I think I'm missing the way to bind CustomLogin
class to my sampleDest destination. 

I'm missing something? Help is much apreciated 

X.







  










--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt

Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com






  




  
  
  YAHOO! GROUPS LINKS



   Visit your group "flexcoders" on the web. 

   To unsubscribe from this group, send an email to: 
[EMAIL PROTECTED] 
   Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
.



  










-- Xavi Beumalahttp://www.code4net.com






--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com





  




  
  
  YAHOO! GROUPS LINKS



   Visit your group "flexcoders" on the web. 
   To unsubscribe from this group, send an email to: [EMAIL PROTECTED] 
   Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.