[flexcoders] Re: BlazeDS Security Confusion

Thu, 01 May 2008 12:55:30 -0700 

Mete,

Thank you for the response. Unfortunately, I am still having troubles.

I have:
* confirmed that the Tomcat Valve is being loaded correctly. 
* defined the TomcatLoginCommand in services-config.xml (see below).  
* secured the destination (see remoting-config.xml below). 
* configured JBoss to use a UsersRolesLoginModule and added the user
  and basic_access role (same concept as adding Tomcat users and 
  roles).
* not set any credentials in the Actionscript code. 
* DID NOT secure the endpoint in the web.xml since your guidance 
  didn't included it and therefore implies you don't need to. 

The results?  I was not prompted with the web browser Basic login
prompt and the destination was not secured. I could contact the
destination even though I was not authenticated. It didn't work!
Ahhhhhhhhhhhh. Any other thoughts?

Jim

=== services-config.xml ===
<?xml version="1.0" encoding="UTF-8"?>
<services-config>

        <services>
                <service-include file-path="remoting-config.xml" />
                <service-include file-path="messaging-config.xml" />
        </services>

        <factories>
                <factory id="ejb" class="com.adobe.ac.ejb.EJB3Factory" />
        </factories>

    <security>
        <login-command
class="flex.messaging.security.TomcatLoginCommand" server="JBoss"/>

        <security-constraint id="basic-access">
            <auth-method>Basic</auth-method>
            <roles>
                <role>basic_access</role>
            </roles>
        </security-constraint>
    </security>

=== remoting-config.xml ===
<?xml version="1.0" encoding="UTF-8"?>
<service id="remoting-service"
        class="flex.messaging.services.RemotingService">

        <adapters>
                <adapter-definition id="java-object"
                        
class="flex.messaging.services.remoting.adapters.JavaAdapter"
                        default="true" />
        </adapters>

        <default-channels>
                <channel ref="polling-channel" />
        </default-channels>

        <destination id="DataGenerator">
                <properties>
                        <factory>ejb</factory>
                        <source>dashboard/DataGeneratorBean</source>
                </properties>
                <security>
                        <security-constraint id="basic-access"/>
                </security>
        </destination>

</service>

--- In flexcoders@yahoogroups.com, "meteatamel" <[EMAIL PROTECTED]> wrote:
>
> Hi Jim,
> 
> The short answer is that TomcatLoginCommand uses Tomcat valve to do
> its authentication/authorization but here's a writeup I have on
> BlazeDS security that should clarify things.
> 
> -Mete

Reply via email to