Paul, thanks for you reply I didn't quite understand what you mean by embeding authentication wihin the Flex program. There's no way I can escape from some kind of web-service. Unless I agree to recompile the application every-time some user information changes (see that this topic is all about how to allow the user to get authenticated inside the application using a HTTPService). Am I right?
About Acegi, I was looking for some kind of standard solution. I know that application servers (Tomcat in my case) have authentication handling by default. I'm just not used to it yet On 05 Apr 2007 07:40:28 -0700, Paul DeCoursey <[EMAIL PROTECTED]> wrote:
Authentication is a very tricky topic in my mind. I have found that it's better to put you authentication step right in the RIA app itself and not have it a separate login page. If you insist that your login page is outside of the app then I would suggest using a token or perhaps Acegi. The advantage of acegi is that it handles the authentication to many different sources and has many checks in place to ensure that the credentials are not misused on the server side. Acegi can be difficult to set up however. If you use a token you can have the token associated with a valid credential and remote ip which will help limit unauthorized access if the token is compromised. For our Web Services we actually send login credentials with most requests. Some of our services use a token approach. IN all cases use use Acegi for authentication. We use the token in some cases because of limitations in the framework, or flash player really. File uploads don't share the session with the rest of the app in all browsers. So we use a generated token on the uploads. Our tokens expire after a short period as well. I think you will find that there is no standard way to do auth in RIA because there is no standard way to do auth on the WEB, except maybe BASIC, but that is hardly secure and not available in Flex. Paul --- In flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com>, "Peter Farland" <[EMAIL PROTECTED]> wrote: > > > 1) Is Base64 secure? > > [Pete] No. You need to use HTTPS for the actual transmission in order > for it to be secure. Base64 is merely a way to obfuscate strings to make > them not immediately human readable, i.e. in server logs etc. > > > 2) What's the standard model of authentication in RIA? I mean.. I figure > out that the process works this way: I create a JSP login.jsp file that > receives username and password (HTTPService) enconded through Base64 and > decode it. Ok. After that my JSP file put in the session that there's an > user logged. > > [Pete] Close, but not quite. You really should be authenticating into > the J2EE web application container itself so that you're not responsible > for managing sessions or authenticating credentials. Just lock down > resources with a security constraint in /WEB-INF/web.xml with > auth-method set to "FORM" so that you can POST the username and password > on login via HTTPService. >
-- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org