For those who simply need a one-off Authentication scheme for Flex rather than an Enterprise Level Authentication Scheme the following could easily be done: 1). Find an encryption library coded using AS3 - easy to find this via google. 2). Code the Login dialogs using Flex. 3). Before sending the sign-in credentials to the server encrypt them as a single string using a known decryption key the server can use to reverse this process. 4). Transmit the encrypted sign-in credentials to the server using HTTPS if possible. 5). Server decrypts the sign-in credentials and creates a Session Token (GUID or UUID) in a database - returns the Session Token to the client. 6). Session Token is used with all HTTPService requests. 7). Server uses Session Token to authenticate all HTTPService Requests; rejecting those that don't match the Session Token in the database. This technique would be quite hacker-proof because UUID or GUID values are quite impossible to guess unless one wishes to waste a very long time. 8). Reject any HTTPService Requests that do not have a valid Session Token. All of this is quite invisible to the end-user unless the crafty user is using a Sniffer however with a little more effort and a bit of processing time one can construct one's own HTTPS using the AS3 library from Step (1) above. The moral of the story is, if you want security using Flex this can be easily done. If you want a single point of entry to a suite of Flex based tools this too can be done using the above technique. I have a hunch the Acegi package does the above 8 steps for you so you don't have to code this yourself but then you have to figure-out how to install Acegi and that too may not be all that trivial assuming you are not producing an App for a large company that may not wish to use Acegi and then you may wish to use the technique or some variation on this theme yourself.
----- Original Message ---- From: André Rodrigues Pena <[EMAIL PROTECTED]> To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 9:43:34 AM Subject: Re: [flexcoders] Re: User authentication Paul, thanks for you reply I didn't quite understand what you mean by embeding authentication wihin the Flex program. There's no way I can escape from some kind of web-service. Unless I agree to recompile the application every-time some user information changes (see that this topic is all about how to allow the user to get authenticated inside the application using a HTTPService) . Am I right? About Acegi, I was looking for some kind of standard solution. I know that application servers (Tomcat in my case) have authentication handling by default. I'm just not used to it yet On 05 Apr 2007 07:40:28 -0700, Paul DeCoursey < [EMAIL PROTECTED] net> wrote: Authentication is a very tricky topic in my mind. I have found that it's better to put you authentication step right in the RIA app itself and not have it a separate login page. If you insist that your login page is outside of the app then I would suggest using a token or perhaps Acegi. The advantage of acegi is that it handles the authentication to many different sources and has many checks in place to ensure that the credentials are not misused on the server side. Acegi can be difficult to set up however. If you use a token you can have the token associated with a valid credential and remote ip which will help limit unauthorized access if the token is compromised. For our Web Services we actually send login credentials with most requests. Some of our services use a token approach. IN all cases use use Acegi for authentication. We use the token in some cases because of limitations in the framework, or flash player really. File uploads don't share the session with the rest of the app in all browsers. So we use a generated token on the uploads. Our tokens expire after a short period as well. I think you will find that there is no standard way to do auth in RIA because there is no standard way to do auth on the WEB, except maybe BASIC, but that is hardly secure and not available in Flex. Paul --- In [EMAIL PROTECTED] ups.com, "Peter Farland" <[EMAIL PROTECTED]> wrote: > > > 1) Is Base64 secure? > > [Pete] No. You need to use HTTPS for the actual transmission in order > for it to be secure. Base64 is merely a way to obfuscate strings to make > them not immediately human readable, i.e. in server logs etc. > > > 2) What's the standard model of authentication in RIA? I mean.. I figure > out that the process works this way: I create a JSP login.jsp file that > receives username and password (HTTPService) enconded through Base64 and > decode it. Ok. After that my JSP file put in the session that there's an > user logged. > > [Pete] Close, but not quite. You really should be authenticating into > the J2EE web application container itself so that you're not responsible > for managing sessions or authenticating credentials. Just lock down > resources with a security constraint in /WEB-INF/web. xml with > auth-method set to "FORM" so that you can POST the username and password > on login via HTTPService. > -- André Rodrigues Pena LOCUS www.locus.com. br Blog www.techbreak. org
