I'm not sure if anyone has responded to your email yet, but I'm just catching up to the list.
1) Build your own UI and for every RemoteObject, execute the setCredentials() method, it will either pass or fail. If you are using Cairngorm, look into v2.1 it can automated this a bit for you. 2) Every app server lets you create a Authenticator, this is what you will have to build. We did for WebLogic, which looks at our user tables and such. HTH, Dimitrios Gianninas Optimal Payments Inc. -----Original Message----- From: flexcoders@yahoogroups.com on behalf of hank williams Sent: Tue 11/28/2006 1:01 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] role based security vs session based security with a servlet container I am trying to figure out the best way of implementing security & authentication. I am using tomcat, and FDS at the moment for remoting. My server side code is obviously in java. A while back, role base security was recommended as the way to implement security. The idea being that if someone did not have the right credentials that they would be prevented from gaining access to the flex app. But my problem with this is that I want to do my authentication UI *in* flex, so I can't prevent people from getting to it before I have had a chance to authenticate. Another problem with the role based stuff is that, as I understand it, roles are maintained by the container. I am not clear how to use my account database (JDBC/Mysql) in this process. What seems easier to me is using sessions, because I can, from any server side function, request the current session of the given user. I can look to see if their session is valid, how long they have been logged on, etc. And using this methodology, I can do login in the flex application, which just sends a login message to the server, the server adds a record to my session record that indicates that I am logged in and when I logged in. This second approach seems like the best approach and the one that gives me the most flexibility. But I am looking for validation regarding my approach here. Am I doing something wrong here? Are there some reasons that the role based security would be better? Any insight from people better versed in security than I am would be greatly appreciated. Hank -- WARNING ------- This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender. AVIS IMPORTANT -------------- Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent message a été transmis involontairement ou s'il est retransmis sans son autorisation. Si vous n'êtes pas le destinataire visé du présent message ou si vous l'avez reçu par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi que toutes ses pièces jointes, de votre système. La lecture, la distribution, la copie ou tout autre usage du présent message ou de ses pièces jointes par des personnes autres que le destinataire visé ne sont pas autorisés et pourraient être illégaux. Si vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur.
<<winmail.dat>>
