I don't know of a way to just authenticate the client. From everything
I've read, you have to authenticate the HTTP and RTMP sessions
individually. For my application, I had to create my own LoginCommand
to handle the flex RTMP authentication.
Here's my understanding of how it's working for me:
1. On my client, I get the channelset to use and then call
channelSet.login(username, password). You could also call the
setCredentials on the actual DataService the same way, but my services
are all created at runtime on the server instead of being statically
defined in services-config.xml.
2. That channelSet (or dataservice) from above authenticates through the
login-command configured in services-config.xml. This is where the
custom LoginCommand I created is configured. The doAuthentication
function of LoginCommand is as follows:
public Principal doAuthentication(String username, Object
credentials) {
Authentication auth = authenticationProvider.authenticate(new
UsernamePasswordAuthenticationToken(username, credentials)); //
authenticationProvider is a spring security DaoAuthenticationProvider
SecurityContextHolder.getContext().setAuthentication(auth);
return auth;
}
This should authenticate the RTMP session. I don't know if this is the
best way, but it seems to work.
--- In flexcoders@yahoogroups.com, "Geoffrey" <[EMAIL PROTECTED]> wrote:
>
> I'm guessing that we don't implement security the correct way (or the
> best way) right now. Currently, I have a login State that takes the
> username and password and makes an HTTPService call to the JSP page
> that does user authentication. If that comes back successfully, then
> I change State to the main application.
>
> That seems to take care of all of the HTTP requests, but the RTMP
> requests obviously fail (or else I wouldn't be here ;-)).
>
> I read the docs about using LoginCommand, but I didn't see how that
> ties into Acegi.
>
> I'm wondering if you can authenticate the Flex client, and not just
> the session. If so, wouldn't the sessions (HTTP and RTMP) also be
> authenticated since they fall under the FlexClient object? Just a
> thought.
>
> Geoff
>
> --- In flexcoders@yahoogroups.com, "jahhaj12345" halvorsonj@ wrote:
> >
> > I'm having the same problems you are. I've been through several
> > options but haven't found one that's acceptable from a security
point
> > of view if you are trying to use the rememberme functionality.
> >
> > To get it working without rememberme, provide a login form from your
> > flex application and once authenticated using form login, use that
> > username/password combination for the RTMP's ChannelSet login. And
> > depending on how you handle authentication on your end, you may need
> > to provide your own LoginCommand and UserDetailsService. I've done
> > both of these and it works.
> >
> > Does anyone out there have a way to get rememberme working for RTMP?
> > I know the problem is cause by the RTMPFlexSession being outside the
> > HTTPSession. Is there anyway to sync these up? Or is there anyway
to
> > do a single sign-on with RTMP?
> >
> > Jason
> >
> > --- In flexcoders@yahoogroups.com, "Geoffrey" <gtb104@> wrote:
> > >
> > > I've looked around the net and haven't found anything helpful.
Any
> > suggestions would be
> > > great.
> > >
> > > Thanks,
> > > Geoff
> > > --- In flexcoders@yahoogroups.com, "Geoffrey" <gtb104@> wrote:
> > > >
> > > > I'm wondering if anyone out there has implemented LiveCycle Data
> > > > Services using Spring Security as their security layer?
> > > >
> > > > I'm having issues with RTMP communications between
server/client,
> > > > meaning I'm not getting any. I've modified our existing Java
> delegate
> > > > to ast as the Assembler for a managed collection. When the
> > > > Assembler's fill() method gets called, it tries to retrieve the
> > > > desired information from our Service class. I get an
> > > > AuthenticationCredentialsNotFoundException as seen below:
> > > >
> > > > <error snippet>
> > > > org.acegisecurity.AuthenticationCredentialsNotFoundException: An
> > > > Authentication object was not found in the SecurityContext
> > > > at
> > > >
> > >
> >
>
org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFo\
und(AbstractSecuri
> > > tyInterceptor.java:339)
> > > > at
> > > >
> > >
> >
>
org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation\
(AbstractSecurityIn
> > > terceptor.java:254)
> > > > at
> > > >
> > >
> >
>
org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor\
.invoke(MethodS
> > > ecurityInterceptor.java:63)
> > > > at
> > > >
> > >
> >
>
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Ref\
lectiveMetho
> > > dInvocation.java:161)
> > > > at
> > > >
> > >
> >
>
org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedIntercept\
or.intercep
> > > t(Cglib2AopProxy.java:630)
> > > > ...
> > > > </error snippet>
> > > >
> > > > I think it's because the HTTPFlexSession is authenticated, but
the
> > > > RTMPFlexSession operates outside the context. I don't know how
to
> > > > make it authenticated, or to authenticate the client so that all
> > > > sessions have valid credentials.
> > > >
> > > > Any suggestions would be appreciated.
> > > >
> > > > ~Geoff
> > > >
> > >
> >
>
