Well, your call to setCredentials looks right so I’m not sure why it’s not working.  Can you turn on the logging and see if credentials are being sent across?  You would see a CommandMessage being sent and the appropriate response would be a message that has a body of “success” (which I’m guessing you won’t see).  What channel are you using?

 

Matt

 


From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Xavi Beumala
Sent: Monday, April 17, 2006 12:59 AM
To: flexcoders@yahoogroups.com
Subject: Re: [flexcoders] Custom authentication in a destination

 

Hi Matt,

On 4/17/06, Matt Chotin <[EMAIL PROTECTED]> wrote:

You definitely need the <roles> in the constraint, otherwise there's nothing to test for.

 

Why are you not using the login command we provided for 5.5?  You would also need to copy the flex-tomcat-common.jar into the common/lib directory as specified in step 1, but then it should work.  The one we provide is flex.messaging.security.TomcatLoginCommand.


I forgot to mention I  also copied flex-tomcat-common.jar into common/lib. The reason why I use a custom login, I'm still playing with fes2 so maybe I'm wrong, is because I have a huge java application in the backend. This application manages its own classloaders and its own JAAS modules to manage authentication and authorization.

I think I've been able to solve the classloader issue with a custom filter applyied to MessageBrokerServlet. This filter simply changes the classloader through Thread.currentThread().setContextClassLoader() Is this the good way?

For the authentication and authorization I thought the best way would be to implement a custom loginCommand. Otherwise I won't be able to run any existing service on the server side. When using as2 and openAMF I've a custom openAMF invoker which in resume invokes a Subject.doAs statement. But I have no idea where to do this in FES.

BTW when I add <roles> in the security-constraint (using default roles, username and passwords provided by tomcat) and using setCredentials I receive a flex.messaging.security.SecurityException: Login required before authorization can proceed.

The client side code I'm using:

<code>
<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" xmlns="*" layout="absolute">
    <mx:Script>
        <![CDATA[
            import mx.rpc.events.ResultEvent;
            import mx.rpc.events.FaultEvent;
           
            private function send():void {
                db.setCredentials("tomcat","tomcat");
                db.test();
            }
           
            private function onFault (event:FaultEvent):void {
                trace ("onFault");
            }
           
            private function getTest (event:ResultEvent):void {
                trace ("onResult");
            }
        ]]>
    </mx:Script>
   
    <mx:RemoteObject id="db" destination="sampleDest" fault="onFault(event)">
        <mx:method name="test" showBusyCursor="true" result="getTest(event)"/>
    </mx:RemoteObject>
   
    <mx:VBox x="65" y="11">
        <mx:Button click="send()"/>
    </mx:VBox>
   
</mx:Application>

</code>



What can be wrong?
Thanks so much!

X.

Matt

 


From: flexcoders@yahoogroups.com [mailto: flexcoders@yahoogroups.com] On Behalf Of Xavi Beumala
Sent: Sunday, April 16, 2006 3:30 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] Custom authentication in a destination

 

Hi all,

I'm trying to secure a remoting destination with a custom class as stated at http://livedocs.macromedia.com/labs/1/flex20beta2/00001546.html

The steps I've followed are:
   · Create a custom class which implements flex.messaging.security.LoginCommand with the methods start, stop, doAuthentication, doAuthorization and logout.
   · Add a destination definition in flex-remoting-service.xml:

    <destination id="sampleDest">
        <properties>
            <source>com.code4net.business.PhotoService</source>
            <stateful>true</stateful>
        </properties>
       
        <security>
            <security-constraint ref="sample-users" />
        </security>
    </destination>

  · Add a security definition tag in flex-enterprise-service.xml:
    <security>
        <security-constraint id="sample-users">
            <auth-method>Custom</auth-method>
        </security-constraint>

        <login-command class="com.code4net.loginModules.CustomLogin" server="Tomcat"/>
    </security>


   · Place flex-tomcat-server.jar in server/lib (NOT shared/lib) (as stated in <fes_install_dir>/resources/security/tomcat/readme.txt
     (I'm running tomcat 5.5)
   · Copy context.xml in web application under the META-INF directory

The problem is that with this configuration the destination isn't being secured and I can execute services on it normally. If I add a <roles> tag inside the security-constraint then I receive a security-exception eventhough I'm invoking setCredentials and setRemoteCredentials from the clientSide (using default users and roles defined in tomcat-users.xml).

On the other hand if I run tomcat in debug mode from eclipse, any of the methods of CustomLogin class are invoked.

I think I'm missing the way to bind CustomLogin class to my sampleDest destination.

I'm missing something? Help is much apreciated

X.







 




--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com


YAHOO! GROUPS LINKS

 

 





--
Xavi Beumala
http://www.code4net.com



--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com




YAHOO! GROUPS LINKS




Reply via email to