RE: [flexcoders] Custom authentication in a destination

[Matt Chotin]

Well, your call to setCredentials looks right so I’m not sure why it’s not working.  Can you turn on the logging and see if credentials are being sent across?  You would see a CommandMessage being sent and the appropriate response would be a message that has a body of “success” (which I’m guessing you won’t see).  What channel are you using?   Matt   From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Xavi Beumala Sent: Monday, April 17, 2006 12:59 AM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Custom authentication in a destination   Hi Matt, On 4/17/06, Matt Chotin <[EMAIL PROTECTED]> wrote: You definitely need the <roles> in the constraint, otherwise there's nothing to test for.   Why are you not using the login command we provided for 5.5?  You would also need to copy the flex-tomcat-common.jar into the common/lib directory as specified in step 1, but then it should work.  The one we provide is flex.messaging.security.TomcatLoginCommand. I forgot to mention I  also copied flex-tomcat-common.jar into common/lib. The reason why I use a custom login, I'm still playing with fes2 so maybe I'm wrong, is because I have a huge java application in the backend. This application manages its own classloaders and its own JAAS modules to manage authentication and authorization. I think I've been able to solve the classloader issue with a custom filter applyied to MessageBrokerServlet. This filter simply changes the classloader through Thread.currentThread().setContextClassLoader() Is this the good way? For the authentication and authorization I thought the best way would be to implement a custom loginCommand. Otherwise I won't be able to run any existing service on the server side. When using as2 and openAMF I've a custom openAMF invoker which in resume invokes a Subject.doAs statement. But I have no idea where to do this in FES. BTW when I add <roles> in the security-constraint (using default roles, username and passwords provided by tomcat) and using setCredentials I receive a flex.messaging.security.SecurityException: Login required before authorization can proceed. The client side code I'm using: <code> <?xml version="1.0" encoding="utf-8"?> <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" xmlns="*" layout="absolute">     <mx:Script>         <![CDATA[             import mx.rpc.events.ResultEvent;             import mx.rpc.events.FaultEvent;                         private function send():void {                 db.setCredentials("tomcat","tomcat");                 db.test();             }                         private function onFault (event:FaultEvent):void {                 trace ("onFault");             }                         private function getTest (event:ResultEvent):void {                 trace ("onResult");             }         ]]>     </mx:Script>         <mx:RemoteObject id="db" destination="sampleDest" fault="onFault(event)">         <mx:method name="test" showBusyCursor="true" result="getTest(event)"/>     </mx:RemoteObject>         <mx:VBox x="65" y="11">         <mx:Button click="send()"/>     </mx:VBox>     </mx:Application> </code> What can be wrong? Thanks so much! X. Matt   From: flexcoders@yahoogroups.com [mailto: flexcoders@yahoogroups.com] On Behalf Of Xavi Beumala Sent: Sunday, April 16, 2006 3:30 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Custom authentication in a destination   Hi all, I'm trying to secure a remoting destination with a custom class as stated at http://livedocs.macromedia.com/labs/1/flex20beta2/00001546.html The steps I've followed are:    · Create a custom class which implements flex.messaging.security.LoginCommand with the methods start, stop, doAuthentication, doAuthorization and logout.    · Add a destination definition in flex-remoting-service.xml:     <destination id="sampleDest">         <properties>             <source>com.code4net.business.PhotoService</source>             <stateful>true</stateful>         </properties>                 <security>             <security-constraint ref="sample-users" />         </security>     </destination>   · Add a security definition tag in flex-enterprise-service.xml:     <security>         <security-constraint id="sample-users">             <auth-method>Custom</auth-method>         </security-constraint>         <login-command class="com.code4net.loginModules.CustomLogin" server="Tomcat"/>     </security>    · Place flex-tomcat-server.jar in server/lib (NOT shared/lib) (as stated in <fes_install_dir>/resources/security/tomcat/readme.txt      (I'm running tomcat 5.5)    · Copy context.xml in web application under the META-INF directory The problem is that with this configuration the destination isn't being secured and I can execute services on it normally. If I add a <roles> tag inside the security-constraint then I receive a security-exception eventhough I'm invoking setCredentials and setRemoteCredentials from the clientSide (using default users and roles defined in tomcat-users.xml). On the other hand if I run tomcat in debug mode from eclipse, any of the methods of CustomLogin class are invoked. I think I'm missing the way to bind CustomLogin class to my sampleDest destination. I'm missing something? Help is much apreciated X.   -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com YAHOO! GROUPS LINKS    Visit your group "flexcoders" on the web.    To unsubscribe from this group, send an email to:   [EMAIL PROTECTED]    Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service .   -- Xavi Beumala http://www.code4net.com -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com YAHOO! GROUPS LINKS  Visit your group "flexcoders" on the web.    To unsubscribe from this group, send an email to:  [EMAIL PROTECTED]    Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.