Well, your call to setCredentials looks
right so I’m not sure why it’s not working. Can you turn on the
logging and see if credentials are being sent across? You would see a
CommandMessage being sent and the appropriate response would be a message that
has a body of “success” (which I’m guessing you won’t
see). What channel are you using?
Matt
From:
flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Xavi Beumala
Sent: Monday, April 17, 2006 12:59
AM
To: flexcoders@yahoogroups.com
Subject: Re: [flexcoders] Custom
authentication in a destination
Hi Matt,
On 4/17/06, Matt Chotin <[EMAIL PROTECTED]> wrote:
You definitely need the <roles> in the
constraint, otherwise there's nothing to test for.
Why are you not using the login command we
provided for 5.5? You would also need to copy the flex-tomcat-common.jar
into the common/lib directory as specified in step 1, but then it should
work. The one we provide is flex.messaging.security.TomcatLoginCommand.
I forgot to mention I also copied flex-tomcat-common.jar into common/lib.
The reason why I use a custom login, I'm still playing with fes2 so maybe I'm
wrong, is because I have a huge java application in the backend. This
application manages its own classloaders and its own JAAS modules to manage
authentication and authorization.
I think I've been able to solve the classloader issue with a custom filter
applyied to MessageBrokerServlet. This filter simply changes the classloader
through Thread.currentThread().setContextClassLoader() Is this the good way?
For the authentication and authorization I thought the best way would be to
implement a custom loginCommand. Otherwise I won't be able to run any existing
service on the server side. When using as2 and openAMF I've a custom openAMF
invoker which in resume invokes a Subject.doAs statement. But I have no idea
where to do this in FES.
BTW when I add <roles> in the security-constraint (using default roles,
username and passwords provided by tomcat) and using setCredentials I receive a
flex.messaging.security.SecurityException: Login required before authorization
can proceed.
The client side code I'm using:
<code>
<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"
xmlns="*" layout="absolute">
<mx:Script>
<![CDATA[
import
mx.rpc.events.ResultEvent;
import
mx.rpc.events.FaultEvent;
private function
send():void {
db.setCredentials("tomcat","tomcat");
db.test();
}
private function
onFault (event:FaultEvent):void {
trace ("onFault");
}
private function
getTest (event:ResultEvent):void {
trace ("onResult");
}
]]>
</mx:Script>
<mx:RemoteObject id="db"
destination="sampleDest" fault="onFault(event)">
<mx:method name="test"
showBusyCursor="true" result="getTest(event)"/>
</mx:RemoteObject>
<mx:VBox x="65" y="11">
<mx:Button click="send()"/>
</mx:VBox>
</mx:Application>
</code>
What can be wrong?
Thanks so much!
X.
Hi all,
I'm trying to secure a remoting destination with a
custom class as stated at http://livedocs.macromedia.com/labs/1/flex20beta2/00001546.html
The steps I've followed are:
· Create a custom class which
implements flex.messaging.security.LoginCommand with the methods start, stop,
doAuthentication, doAuthorization and logout.
· Add a destination definition in
flex-remoting-service.xml:
<destination
id="sampleDest">
<properties>
<source>com.code4net.business.PhotoService</source>
<stateful>true</stateful>
</properties>
<security>
<security-constraint ref="sample-users" />
</security>
</destination>
· Add a security definition tag in
flex-enterprise-service.xml:
<security>
<security-constraint id="sample-users">
<auth-method>Custom</auth-method>
</security-constraint>
<login-command
class="com.code4net.loginModules.CustomLogin"
server="Tomcat"/>
</security>
· Place flex-tomcat-server.jar in
server/lib (NOT shared/lib) (as stated in
<fes_install_dir>/resources/security/tomcat/readme.txt
(I'm running tomcat 5.5)
· Copy context.xml in web application
under the META-INF directory
The problem is that with this configuration the
destination isn't being secured and I can execute services on it normally. If I
add a <roles> tag inside the security-constraint then I receive a
security-exception eventhough I'm invoking setCredentials and
setRemoteCredentials from the clientSide (using default users and roles defined
in tomcat-users.xml).
On the other hand if I run tomcat in debug mode
from eclipse, any of the methods of CustomLogin class are invoked.
I think I'm missing the way to bind CustomLogin
class to my sampleDest destination.
I'm missing something? Help is much apreciated
X.
--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com
YAHOO!
GROUPS LINKS
--
Xavi Beumala
http://www.code4net.com
--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com
YAHOO! GROUPS LINKS
|