You definitely need the <roles> in the constraint, otherwise there's nothing to test for.
Why are you not using the login command we provided for 5.5? You would also need to copy the flex-tomcat-common.jar into the common/lib directory as specified in step 1, but then it should work. The one we provide is flex.messaging.security.TomcatLoginCommand.
I forgot to mention I also copied flex-tomcat-common.jar into common/lib. The reason why I use a custom login, I'm still playing with fes2 so maybe I'm wrong, is because I have a huge java application in the backend. This application manages its own classloaders and its own JAAS modules to manage authentication and authorization.
I think I've been able to solve the classloader issue with a custom filter applyied to MessageBrokerServlet. This filter simply changes the classloader through Thread.currentThread().setContextClassLoader() Is this the good way?
For the authentication and authorization I thought the best way would be to implement a custom loginCommand. Otherwise I won't be able to run any existing service on the server side. When using as2 and openAMF I've a custom openAMF invoker which in resume invokes a Subject.doAs statement. But I have no idea where to do this in FES.
BTW when I add <roles> in the security-constraint (using default roles, username and passwords provided by tomcat) and using setCredentials I receive a flex.messaging.security.SecurityException: Login required before authorization can proceed.
The client side code I'm using:
<code>
<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" xmlns="*" layout="absolute">
<mx:Script>
<![CDATA[
import mx.rpc.events.ResultEvent;
import mx.rpc.events.FaultEvent;
private function send():void {
db.setCredentials("tomcat","tomcat");
db.test();
}
private function onFault (event:FaultEvent):void {
trace ("onFault");
}
private function getTest (event:ResultEvent):void {
trace ("onResult");
}
]]>
</mx:Script>
<mx:RemoteObject id="db" destination="sampleDest" fault="onFault(event)">
<mx:method name="test" showBusyCursor="true" result="getTest(event)"/>
</mx:RemoteObject>
<mx:VBox x="65" y="11">
<mx:Button click="send()"/>
</mx:VBox>
</mx:Application>
</code>
What can be wrong?
Thanks so much!
X.
Matt
From: flexcoders@yahoogroups.com [mailto: flexcoders@yahoogroups.com] On Behalf Of Xavi Beumala
Sent: Sunday, April 16, 2006 3:30 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] Custom authentication in a destination
Hi all,
I'm trying to secure a remoting destination with a custom class as stated at http://livedocs.macromedia.com/labs/1/flex20beta2/00001546.html
The steps I've followed are:
· Create a custom class which implements flex.messaging.security.LoginCommand with the methods start, stop, doAuthentication, doAuthorization and logout.
· Add a destination definition in flex-remoting-service.xml:
<destination id="sampleDest">
<properties>
<source>com.code4net.business.PhotoService</source>
<stateful>true</stateful>
</properties>
<security>
<security-constraint ref="sample-users" />
</security>
</destination>
· Add a security definition tag in flex-enterprise-service.xml:
<security>
<security-constraint id="sample-users">
<auth-method>Custom</auth-method>
</security-constraint>
<login-command class="com.code4net.loginModules.CustomLogin" server="Tomcat"/>
</security>
· Place flex-tomcat-server.jar in server/lib (NOT shared/lib) (as stated in <fes_install_dir>/resources/security/tomcat/readme.txt
(I'm running tomcat 5.5)
· Copy context.xml in web application under the META-INF directory
The problem is that with this configuration the destination isn't being secured and I can execute services on it normally. If I add a <roles> tag inside the security-constraint then I receive a security-exception eventhough I'm invoking setCredentials and setRemoteCredentials from the clientSide (using default users and roles defined in tomcat-users.xml).
On the other hand if I run tomcat in debug mode from eclipse, any of the methods of CustomLogin class are invoked.
I think I'm missing the way to bind CustomLogin class to my sampleDest destination.
I'm missing something? Help is much apreciated
X.
--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com
YAHOO! GROUPS LINKS
- Visit your group "flexcoders" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service .
--
Xavi Beumala
http://www.code4net.com
--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com
YAHOO! GROUPS LINKS
- Visit your group "flexcoders" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.