I seem to have got it working. Thanks for your help jahhaj12345! What I ended up doing was to create a custom LoginCommand class. I used the one from here: http://blog.f4k3.net/fake/entry/acegi_logincommand_for_fds. I made two changes shown below:
//The name of our Acegi configuration file. private static String[] CONFIG_LOCATIONS = {"classpath:security-context.xml"}; //"ldapAuthenticationProvider" is from our Acegi config file, and it the name of the bean that is used for authentication via LDAP. authenticationProvider = (AuthenticationProvider)applicationContext.getBean("ldapAuthenticationProvider"); I then updated services-config.xml and added: <security> <login-command class="com.gdais.security.AcegiLoginCommand" server="Tomcat"/> <security-constraint id="basic-read-access"> <auth-method>Basic</auth-method> <roles> <role>ROLE_MANAGERS</role> <role>ROLE_USERS</role> </roles> </security-constraint> </security> //The roles came from the Acegi config file. After that, I had to add the [managed] metadata tag to one of my ValueObjects and it all seemed to work. I'll be honest, I don't really understand why this works, it just does. What I mean by 'works' is that the managed collection on the client gets filled with data successfully. I haven't yet tested pushing new entries to that managed collection after the initial fill. I hope this post helps someone else. ~Geoff --- In flexcoders@yahoogroups.com, "jahhaj12345" <[EMAIL PROTECTED]> wrote: > > I don't know of a way to just authenticate the client. From everything > I've read, you have to authenticate the HTTP and RTMP sessions > individually. For my application, I had to create my own LoginCommand > to handle the flex RTMP authentication. > > Here's my understanding of how it's working for me: > > 1. On my client, I get the channelset to use and then call > channelSet.login(username, password). You could also call the > setCredentials on the actual DataService the same way, but my services > are all created at runtime on the server instead of being statically > defined in services-config.xml. > > 2. That channelSet (or dataservice) from above authenticates through the > login-command configured in services-config.xml. This is where the > custom LoginCommand I created is configured. The doAuthentication > function of LoginCommand is as follows: > > public Principal doAuthentication(String username, Object > credentials) { > Authentication auth = authenticationProvider.authenticate(new > UsernamePasswordAuthenticationToken(username, credentials)); // > authenticationProvider is a spring security DaoAuthenticationProvider > > SecurityContextHolder.getContext().setAuthentication(auth); > return auth; > } > > This should authenticate the RTMP session. I don't know if this is the > best way, but it seems to work. > > > --- In flexcoders@yahoogroups.com, "Geoffrey" <gtb104@> wrote: > > > > I'm guessing that we don't implement security the correct way (or the > > best way) right now. Currently, I have a login State that takes the > > username and password and makes an HTTPService call to the JSP page > > that does user authentication. If that comes back successfully, then > > I change State to the main application. > > > > That seems to take care of all of the HTTP requests, but the RTMP > > requests obviously fail (or else I wouldn't be here ;-)). > > > > I read the docs about using LoginCommand, but I didn't see how that > > ties into Acegi. > > > > I'm wondering if you can authenticate the Flex client, and not just > > the session. If so, wouldn't the sessions (HTTP and RTMP) also be > > authenticated since they fall under the FlexClient object? Just a > > thought. > > > > Geoff > > > > --- In flexcoders@yahoogroups.com, "jahhaj12345" halvorsonj@ wrote: > > > > > > I'm having the same problems you are. I've been through several > > > options but haven't found one that's acceptable from a security > point > > > of view if you are trying to use the rememberme functionality. > > > > > > To get it working without rememberme, provide a login form from your > > > flex application and once authenticated using form login, use that > > > username/password combination for the RTMP's ChannelSet login. And > > > depending on how you handle authentication on your end, you may need > > > to provide your own LoginCommand and UserDetailsService. I've done > > > both of these and it works. > > > > > > Does anyone out there have a way to get rememberme working for RTMP? > > > I know the problem is cause by the RTMPFlexSession being outside the > > > HTTPSession. Is there anyway to sync these up? Or is there anyway > to > > > do a single sign-on with RTMP? > > > > > > Jason > > > > > > --- In flexcoders@yahoogroups.com, "Geoffrey" <gtb104@> wrote: > > > > > > > > I've looked around the net and haven't found anything helpful. > Any > > > suggestions would be > > > > great. > > > > > > > > Thanks, > > > > Geoff > > > > --- In flexcoders@yahoogroups.com, "Geoffrey" <gtb104@> wrote: > > > > > > > > > > I'm wondering if anyone out there has implemented LiveCycle Data > > > > > Services using Spring Security as their security layer? > > > > > > > > > > I'm having issues with RTMP communications between > server/client, > > > > > meaning I'm not getting any. I've modified our existing Java > > delegate > > > > > to ast as the Assembler for a managed collection. When the > > > > > Assembler's fill() method gets called, it tries to retrieve the > > > > > desired information from our Service class. I get an > > > > > AuthenticationCredentialsNotFoundException as seen below: > > > > > > > > > > <error snippet> > > > > > org.acegisecurity.AuthenticationCredentialsNotFoundException: An > > > > > Authentication object was not found in the SecurityContext > > > > > at > > > > > > > > > > > > > > > org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFo\ > und(AbstractSecuri > > > > tyInterceptor.java:339) > > > > > at > > > > > > > > > > > > > > > org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation\ > (AbstractSecurityIn > > > > terceptor.java:254) > > > > > at > > > > > > > > > > > > > > > org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor\ > .invoke(MethodS > > > > ecurityInterceptor.java:63) > > > > > at > > > > > > > > > > > > > > > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Ref\ > lectiveMetho > > > > dInvocation.java:161) > > > > > at > > > > > > > > > > > > > > > org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedIntercept\ > or.intercep > > > > t(Cglib2AopProxy.java:630) > > > > > ... > > > > > </error snippet> > > > > > > > > > > I think it's because the HTTPFlexSession is authenticated, but > the > > > > > RTMPFlexSession operates outside the context. I don't know how > to > > > > > make it authenticated, or to authenticate the client so that all > > > > > sessions have valid credentials. > > > > > > > > > > Any suggestions would be appreciated. > > > > > > > > > > ~Geoff > > > > > > > > > > > > > > >