Re: [flexcoders] Re: User authentication
I wouold make a GUID or UUID token for this purpose. One type of token for Anonymous access and another type of token for Authenticated access. I leave it up to you to determine how to differentiate the two types of tokens. If I were using HTTPService calls (REST) I would make a subclass for HTTPService to handle the way my tokens were being sent to the destination and the rest (no pun intended) would take care of itself. - Original Message From: Tony Obermeit <[EMAIL PROTECTED]> To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 4:08:38 PM Subject: [flexcoders] Re: User authentication I've been following this thread with great interest as I need to solve same issue. My understanding is we can set credentials on the HttpService but I don't want this to be the username / password entered by the user, that is a separate layer. I want to protect my calls to the HttpService even if the user has not logged in, an "anonymous" access. But I don't see how a HTTPS connection solves my issue. HTTPS will ensure the communication between the client (browser / flash) and the http server is encrypted but it doesn't control what the client does with the data it gets back. If I can implement the hashing or encryption logic mentioned in flash, doesn't that mean a hacker can implement the exact same code in javascript and then be able to access the same secure http call my flash application can? If the swf file includes the key used to hash / encrypt, then the swf file could be decompiled or otherwise inspected to find the key? Thanks again guys for perservering with this thread. Tony Posted by: "André Rodrigues Pena" [EMAIL PROTECTED] com techbreak2 Thu Apr 5, 2007 2:37 pm (PST) Thanks again for your help Ray and Peter.. I am actually a little lost. All I want is to guarantee that the user name and password that will go from Flex HTTPService to my JSP web-service will not be intercepted. And I'm also lost about how will I maintain the session with the HTTPService. Cookies dont seem to be possible, URL rewriting is possible mas I'll have to see how will I do that. At the moment of the login, my service will have to pass me a key or something like that. (as someone already mentioned) That I will use along with the other services... I'm lost. lol
[flexcoders] Re: User authentication
I've been following this thread with great interest as I need to solve same issue. My understanding is we can set credentials on the HttpService but I don't want this to be the username / password entered by the user, that is a separate layer. I want to protect my calls to the HttpService even if the user has not logged in, an "anonymous" access. But I don't see how a HTTPS connection solves my issue. HTTPS will ensure the communication between the client (browser / flash) and the http server is encrypted but it doesn't control what the client does with the data it gets back. If I can implement the hashing or encryption logic mentioned in flash, doesn't that mean a hacker can implement the exact same code in javascript and then be able to access the same secure http call my flash application can? If the swf file includes the key used to hash / encrypt, then the swf file could be decompiled or otherwise inspected to find the key? Thanks again guys for perservering with this thread. Tony Posted by: "André Rodrigues Pena" [EMAIL PROTECTED] techbreak2 Thu Apr 5, 2007 2:37 pm (PST) Thanks again for your help Ray and Peter.. I am actually a little lost. All I want is to guarantee that the user name and password that will go from Flex HTTPService to my JSP web-service will not be intercepted. And I'm also lost about how will I maintain the session with the HTTPService. Cookies dont seem to be possible, URL rewriting is possible mas I'll have to see how will I do that. At the moment of the login, my service will have to pass me a key or something like that. (as someone already mentioned) That I will use along with the other services... I'm lost. lol
Re: [flexcoders] Re: User authentication
The answer is "encryption" the flavor of encryption is up to you. If I had to resolve this problem and I was coding this for myself and therefore had total control over the process I would not use SSL due to the weaknesses of SSL and I would cook-up my own encryption strategy using the longest key length I could find with some minor tweaks to help make the encrypted data envelope even more secure than it might be otherwise. Call me cautious or careful or just way overboard on this one but don't think for a second if I wanted to keep something from curious eyes that there would be any chance of curious eyes getting to see anything other than a bunch of seemingly random ASCII characters. Trust me when I say, even if the encryption key(s) were known I could still make the encrypted envelope perfectly secure. - Original Message From: André Rodrigues Pena <[EMAIL PROTECTED]> To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 2:37:10 PM Subject: Re: [flexcoders] Re: User authentication Thanks again for your help Ray and Peter.. I am actually a little lost. All I want is to guarantee that the user name and password that will go from Flex HTTPService to my JSP web-service will not be intercepted. And I'm also lost about how will I maintain the session with the HTTPService. Cookies dont seem to be possible, URL rewriting is possible mas I'll have to see how will I do that. At the moment of the login, my service will have to pass me a key or something like that. (as someone already mentioned) That I will use along with the other services... I'm lost. lol On 05 Apr 2007 14:23:58 -0700, Peter Farland <[EMAIL PROTECTED] com> wrote: HTTPService has a url property so if you start your URL with https:// then that tells the Flash Player that you want to use SSL to communicate with the web server. Note that to make an HTTPS connection you must load your SWF via a secure URL too. If you're even asking the question "what are the chances of my data being intercepted" then I think you've just made the decision to use SSL. If you're building a commercial application that has personalized data then you will want to use a secure protocol like HTTPS. For a quick and simple explanation of how SSL works see Richard E. Smith's book "Authentication - From Passwords to Public Keys" - Chapter 13.6. _ _ __ From: [EMAIL PROTECTED] ups.com [mailto: [EMAIL PROTECTED] ups.com] On Behalf Of André Rodrigues Pena Sent: Thursday, April 05, 2007 4:55 PM To: [EMAIL PROTECTED] ups.com Subject: Re: [flexcoders] Re: User authentication Guys.. I appreciate all your help. I could realize how many possibilities there are regarding authentication. My question now is: How can I secure my HTTPService? Is there some HTTPSService? What do I do to work with SSL? Or even.. if I send user name and password through an unprotected HTTPService. What are the chances of my data to be intercepted? -- André Rodrigues Pena LOCUS www.locus.com. br Blog www.techbreak. org
Re: [flexcoders] Re: User authentication
Thanks again for your help Ray and Peter.. I am actually a little lost. All I want is to guarantee that the user name and password that will go from Flex HTTPService to my JSP web-service will not be intercepted. And I'm also lost about how will I maintain the session with the HTTPService. Cookies dont seem to be possible, URL rewriting is possible mas I'll have to see how will I do that. At the moment of the login, my service will have to pass me a key or something like that. (as someone already mentioned) That I will use along with the other services... I'm lost. lol On 05 Apr 2007 14:23:58 -0700, Peter Farland <[EMAIL PROTECTED]> wrote: HTTPService has a url property so if you start your URL with https:// then that tells the Flash Player that you want to use SSL to communicate with the web server. Note that to make an HTTPS connection you must load your SWF via a secure URL too. If you're even asking the question "what are the chances of my data being intercepted" then I think you've just made the decision to use SSL. If you're building a commercial application that has personalized data then you will want to use a secure protocol like HTTPS. For a quick and simple explanation of how SSL works see Richard E. Smith's book "Authentication - From Passwords to Public Keys" - Chapter 13.6. From: flexcoders@yahoogroups.com [mailto: flexcoders@yahoogroups.com ] On Behalf Of André Rodrigues Pena Sent: Thursday, April 05, 2007 4:55 PM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Re: User authentication Guys.. I appreciate all your help. I could realize how many possibilities there are regarding authentication. My question now is: How can I secure my HTTPService? Is there some HTTPSService? What do I do to work with SSL? Or even.. if I send user name and password through an unprotected HTTPService. What are the chances of my data to be intercepted? -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
RE: [flexcoders] Re: User authentication
HTTPService has a url property so if you start your URL with https:// then that tells the Flash Player that you want to use SSL to communicate with the web server. Note that to make an HTTPS connection you must load your SWF via a secure URL too. If you're even asking the question "what are the chances of my data being intercepted" then I think you've just made the decision to use SSL. If you're building a commercial application that has personalized data then you will want to use a secure protocol like HTTPS. For a quick and simple explanation of how SSL works see Richard E. Smith's book "Authentication - From Passwords to Public Keys" - Chapter 13.6. From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of André Rodrigues Pena Sent: Thursday, April 05, 2007 4:55 PM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Re: User authentication Guys.. I appreciate all your help. I could realize how many possibilities there are regarding authentication. My question now is: How can I secure my HTTPService? Is there some HTTPSService? What do I do to work with SSL? Or even.. if I send user name and password through an unprotected HTTPService. What are the chances of my data to be intercepted?
Re: [flexcoders] Re: User authentication
See also this section of the Flex Builder manual: Configuring the Proxy Service Seems to indicate SSL can be used however I have not yet developed a need to do so myself. I would be very surprised if Flex Builder 2 did not support the use of SSL as it would have been silly to produce Flex had Adobe not crossed this particular "t" along with having dotted the "i"'s, so to speak. - Original Message From: André Rodrigues Pena <[EMAIL PROTECTED]> To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 1:55:11 PM Subject: Re: [flexcoders] Re: User authentication Guys.. I appreciate all your help. I could realize how many possibilities there are regarding authentication. My question now is: How can I secure my HTTPService? Is there some HTTPSService? What do I do to work with SSL? Or even.. if I send user name and password through an unprotected HTTPService. What are the chances of my data to be intercepted? On 05 Apr 2007 13:10:28 -0700, Ray Horn <[EMAIL PROTECTED] net> wrote: Yes, but there is an advantage to working with HTTPService destinations that are Session-Less as well as Connection-less. Reliance upon a server-side Session only works to weaken the usefulness of web based service providers. - Original Message From: Samuel R. Neff To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 12:20:37 PM Subject: RE: [flexcoders] Re: User authentication You don't need to bother with HTTPS or encryption if you use a challenge-response methodology. For that simple Hashing will do (AS3 corelib has a SHA256 implementation among others). Servers sends random text challenge to client. Client responds back with hashed combo of random text and the password, along with username. Server confirms both know the same thing by comparing hashes without ever sending the password over the wire. Pretty simple to implement. Also depending on the application server you may not need to bother with generating a session token and storing/passing it. For example with ASP.NET all HTTPService and RemoteObject calls are within the context of a user session so on the server side we can use the built-in Session support with no custom coding. Sam - - - We're Hiring! Seeking a passionate developer to join our team building Flex based products. Position is in the Washington D.C. metro area. If interested contact [EMAIL PROTECTED] l.com -- André Rodrigues Pena LOCUS www.locus.com. br Blog www.techbreak. org
Re: [flexcoders] Re: User authentication
Guys.. I appreciate all your help. I could realize how many possibilities there are regarding authentication. My question now is: How can I secure my HTTPService? Is there some HTTPSService? What do I do to work with SSL? Or even.. if I send user name and password through an unprotected HTTPService. What are the chances of my data to be intercepted? On 05 Apr 2007 13:10:28 -0700, Ray Horn <[EMAIL PROTECTED]> wrote: Yes, but there is an advantage to working with HTTPService destinations that are Session-Less as well as Connection-less. Reliance upon a server-side Session only works to weaken the usefulness of web based service providers. - Original Message From: Samuel R. Neff <[EMAIL PROTECTED]> To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 12:20:37 PM Subject: RE: [flexcoders] Re: User authentication You don't need to bother with HTTPS or encryption if you use a challenge-response methodology. For that simple Hashing will do (AS3 corelib has a SHA256 implementation among others). Servers sends random text challenge to client. Client responds back with hashed combo of random text and the password, along with username. Server confirms both know the same thing by comparing hashes without ever sending the password over the wire. Pretty simple to implement. Also depending on the application server you may not need to bother with generating a session token and storing/passing it. For example with ASP.NET <http://asp.net/> all HTTPService and RemoteObject calls are within the context of a user session so on the server side we can use the built-in Session support with no custom coding. Sam - - - We're Hiring! Seeking a passionate developer to join our team building Flex based products. Position is in the Washington D.C. metro area. If interested contact [EMAIL PROTECTED] l.com -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
Re: [flexcoders] Re: User authentication
Yes, but there is an advantage to working with HTTPService destinations that are Session-Less as well as Connection-less. Reliance upon a server-side Session only works to weaken the usefulness of web based service providers. - Original Message From: Samuel R. Neff <[EMAIL PROTECTED]> To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 12:20:37 PM Subject: RE: [flexcoders] Re: User authentication You don't need to bother with HTTPS or encryption if you use a challenge-response methodology. For that simple Hashing will do (AS3 corelib has a SHA256 implementation among others). Servers sends random text challenge to client. Client responds back with hashed combo of random text and the password, along with username. Server confirms both know the same thing by comparing hashes without ever sending the password over the wire. Pretty simple to implement. Also depending on the application server you may not need to bother with generating a session token and storing/passing it. For example with ASP.NET all HTTPService and RemoteObject calls are within the context of a user session so on the server side we can use the built-in Session support with no custom coding. Sam - - - We're Hiring! Seeking a passionate developer to join our team building Flex based products. Position is in the Washington D.C. metro area. If interested contact [EMAIL PROTECTED] l.com
RE: [flexcoders] Re: User authentication
You don't need to bother with HTTPS or encryption if you use a challenge-response methodology. For that simple Hashing will do (AS3 corelib has a SHA256 implementation among others). Servers sends random text challenge to client. Client responds back with hashed combo of random text and the password, along with username. Server confirms both know the same thing by comparing hashes without ever sending the password over the wire. Pretty simple to implement. Also depending on the application server you may not need to bother with generating a session token and storing/passing it. For example with ASP.NET all HTTPService and RemoteObject calls are within the context of a user session so on the server side we can use the built-in Session support with no custom coding. Sam --- We're Hiring! Seeking a passionate developer to join our team building Flex based products. Position is in the Washington D.C. metro area. If interested contact [EMAIL PROTECTED]
Re: [flexcoders] Re: User authentication
For those who simply need a one-off Authentication scheme for Flex rather than an Enterprise Level Authentication Scheme the following could easily be done: 1). Find an encryption library coded using AS3 - easy to find this via google. 2). Code the Login dialogs using Flex. 3). Before sending the sign-in credentials to the server encrypt them as a single string using a known decryption key the server can use to reverse this process. 4). Transmit the encrypted sign-in credentials to the server using HTTPS if possible. 5). Server decrypts the sign-in credentials and creates a Session Token (GUID or UUID) in a database - returns the Session Token to the client. 6). Session Token is used with all HTTPService requests. 7). Server uses Session Token to authenticate all HTTPService Requests; rejecting those that don't match the Session Token in the database. This technique would be quite hacker-proof because UUID or GUID values are quite impossible to guess unless one wishes to waste a very long time. 8). Reject any HTTPService Requests that do not have a valid Session Token. All of this is quite invisible to the end-user unless the crafty user is using a Sniffer however with a little more effort and a bit of processing time one can construct one's own HTTPS using the AS3 library from Step (1) above. The moral of the story is, if you want security using Flex this can be easily done. If you want a single point of entry to a suite of Flex based tools this too can be done using the above technique. I have a hunch the Acegi package does the above 8 steps for you so you don't have to code this yourself but then you have to figure-out how to install Acegi and that too may not be all that trivial assuming you are not producing an App for a large company that may not wish to use Acegi and then you may wish to use the technique or some variation on this theme yourself. - Original Message From: André Rodrigues Pena <[EMAIL PROTECTED]> To: flexcoders@yahoogroups.com Sent: Thursday, April 5, 2007 9:43:34 AM Subject: Re: [flexcoders] Re: User authentication Paul, thanks for you reply I didn't quite understand what you mean by embeding authentication wihin the Flex program. There's no way I can escape from some kind of web-service. Unless I agree to recompile the application every-time some user information changes (see that this topic is all about how to allow the user to get authenticated inside the application using a HTTPService) . Am I right? About Acegi, I was looking for some kind of standard solution. I know that application servers (Tomcat in my case) have authentication handling by default. I'm just not used to it yet On 05 Apr 2007 07:40:28 -0700, Paul DeCoursey < [EMAIL PROTECTED] net> wrote: Authentication is a very tricky topic in my mind. I have found that it's better to put you authentication step right in the RIA app itself and not have it a separate login page. If you insist that your login page is outside of the app then I would suggest using a token or perhaps Acegi. The advantage of acegi is that it handles the authentication to many different sources and has many checks in place to ensure that the credentials are not misused on the server side. Acegi can be difficult to set up however. If you use a token you can have the token associated with a valid credential and remote ip which will help limit unauthorized access if the token is compromised. For our Web Services we actually send login credentials with most requests. Some of our services use a token approach. IN all cases use use Acegi for authentication. We use the token in some cases because of limitations in the framework, or flash player really. File uploads don't share the session with the rest of the app in all browsers. So we use a generated token on the uploads. Our tokens expire after a short period as well. I think you will find that there is no standard way to do auth in RIA because there is no standard way to do auth on the WEB, except maybe BASIC, but that is hardly secure and not available in Flex. Paul --- In [EMAIL PROTECTED] ups.com, "Peter Farland" <[EMAIL PROTECTED]> wrote: > > > 1) Is Base64 secure? > > [Pete] No. You need to use HTTPS for the actual transmission in order > for it to be secure. Base64 is merely a way to obfuscate strings to make > them not immediately human readable, i.e. in server logs etc. > > > 2) What's the standard model of authentication in RIA? I mean.. I figure > out that the process works this way: I create a JSP login.jsp file that > receives username and password (HTTPService) enconded through Base64 and > decode it. Ok. After that my JSP file put in the session that there's an > user logged. > > [Pete] Close, but not quite. You really should be authenticating into > the J2EE web application c
Re: [flexcoders] Re: User authentication
Thanks Josh.. I knew about couldfusion and AMF I just didn't mentioned it :) In my case I have to use HTTP based XML-RPC using JSP/Tomcat back-end. HTTP is slow in fact, but is a standard. On 05 Apr 2007 09:28:55 -0700, gotjosh819i <[EMAIL PROTECTED]> wrote: Pretty sure you dont need to use FDS to use AMF (Remoting). This would of course be cake if you were using Coldfusion :) No idea how to do it though for JSPs, maybe someone can shed some light on that for us. HTTP is so slow and well slow. :) --- In flexcoders@yahoogroups.com , "André Rodrigues Pena" <[EMAIL PROTECTED]> wrote: > > Stembert, thanks for your reply. But I'm not using FDS and there will not be > a destination. My services are JSP based triggered by HTTPService > > On 05 Apr 2007 06:50:08 -0700, Stembert Olivier (BIL) < > [EMAIL PROTECTED]> wrote: > > > > You can secure your destination and send the credentials to your remote > > objects (j2ee security model). > > > > -- > > *From:* flexcoders@yahoogroups.com [mailto:flexcoders@yahoogroups.com ] *On > > Behalf Of *André Rodrigues Pena > > *Sent:* Thursday, April 05, 2007 3:14 PM > > *To:* flexcoders@yahoogroups.com > > *Subject:* [flexcoders] User authentication > > > > > > > > Hi all, > > > > I'd like to know whats the pattern regarding user authentication in > > Flex application. > > In my case. I need my HTTPService to send login information (user name > > and password). How can I encrypt it? How is the process? > > > > -- > > André Rodrigues Pena > > > > LOCUS > > www.locus.com.br > > > > Blog > > www.techbreak.org > > > > - > > > > An electronic message is not binding on its sender. > > > > Any message referring to a binding engagement must be confirmed in writing > > and duly signed. > > > > - > > > > > > > > - > > > > An electronic message is not binding on its sender. > > > > Any message referring to a binding engagement must be confirmed in writing > > and duly signed. > > > > - > > > > > > > > > > > > > > -- > André Rodrigues Pena > > LOCUS > www.locus.com.br > > Blog > www.techbreak.org > -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
Re: [flexcoders] Re: User authentication
Paul, thanks for you reply I didn't quite understand what you mean by embeding authentication wihin the Flex program. There's no way I can escape from some kind of web-service. Unless I agree to recompile the application every-time some user information changes (see that this topic is all about how to allow the user to get authenticated inside the application using a HTTPService). Am I right? About Acegi, I was looking for some kind of standard solution. I know that application servers (Tomcat in my case) have authentication handling by default. I'm just not used to it yet On 05 Apr 2007 07:40:28 -0700, Paul DeCoursey <[EMAIL PROTECTED]> wrote: Authentication is a very tricky topic in my mind. I have found that it's better to put you authentication step right in the RIA app itself and not have it a separate login page. If you insist that your login page is outside of the app then I would suggest using a token or perhaps Acegi. The advantage of acegi is that it handles the authentication to many different sources and has many checks in place to ensure that the credentials are not misused on the server side. Acegi can be difficult to set up however. If you use a token you can have the token associated with a valid credential and remote ip which will help limit unauthorized access if the token is compromised. For our Web Services we actually send login credentials with most requests. Some of our services use a token approach. IN all cases use use Acegi for authentication. We use the token in some cases because of limitations in the framework, or flash player really. File uploads don't share the session with the rest of the app in all browsers. So we use a generated token on the uploads. Our tokens expire after a short period as well. I think you will find that there is no standard way to do auth in RIA because there is no standard way to do auth on the WEB, except maybe BASIC, but that is hardly secure and not available in Flex. Paul --- In flexcoders@yahoogroups.com , "Peter Farland" <[EMAIL PROTECTED]> wrote: > > > 1) Is Base64 secure? > > [Pete] No. You need to use HTTPS for the actual transmission in order > for it to be secure. Base64 is merely a way to obfuscate strings to make > them not immediately human readable, i.e. in server logs etc. > > > 2) What's the standard model of authentication in RIA? I mean.. I figure > out that the process works this way: I create a JSP login.jsp file that > receives username and password (HTTPService) enconded through Base64 and > decode it. Ok. After that my JSP file put in the session that there's an > user logged. > > [Pete] Close, but not quite. You really should be authenticating into > the J2EE web application container itself so that you're not responsible > for managing sessions or authenticating credentials. Just lock down > resources with a security constraint in /WEB-INF/web.xml with > auth-method set to "FORM" so that you can POST the username and password > on login via HTTPService. > -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
[flexcoders] Re: User authentication
Pretty sure you dont need to use FDS to use AMF (Remoting). This would of course be cake if you were using Coldfusion :) No idea how to do it though for JSPs, maybe someone can shed some light on that for us. HTTP is so slow and well slow. :) --- In flexcoders@yahoogroups.com, "André Rodrigues Pena" <[EMAIL PROTECTED]> wrote: > > Stembert, thanks for your reply. But I'm not using FDS and there will not be > a destination. My services are JSP based triggered by HTTPService > > On 05 Apr 2007 06:50:08 -0700, Stembert Olivier (BIL) < > [EMAIL PROTECTED]> wrote: > > > >You can secure your destination and send the credentials to your remote > > objects (j2ee security model). > > > > -- > > *From:* flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] *On > > Behalf Of *André Rodrigues Pena > > *Sent:* Thursday, April 05, 2007 3:14 PM > > *To:* flexcoders@yahoogroups.com > > *Subject:* [flexcoders] User authentication > > > > > > > > Hi all, > > > > I'd like to know whats the pattern regarding user authentication in > > Flex application. > > In my case. I need my HTTPService to send login information (user name > > and password). How can I encrypt it? How is the process? > > > > -- > > André Rodrigues Pena > > > > LOCUS > > www.locus.com.br > > > > Blog > > www.techbreak.org > > > > - > > > > An electronic message is not binding on its sender. > > > > Any message referring to a binding engagement must be confirmed in writing > > and duly signed. > > > > - > > > > > > > > - > > > > An electronic message is not binding on its sender. > > > > Any message referring to a binding engagement must be confirmed in writing > > and duly signed. > > > > - > > > > > > > > > > > > > > -- > André Rodrigues Pena > > LOCUS > www.locus.com.br > > Blog > www.techbreak.org >
Re: [flexcoders] Re: User authentication
Pete, thanks for your reply Good to know about Base64. I'm gonna take a look now at how to lock the resources configuring the web.xml On 05 Apr 2007 07:22:51 -0700, Peter Farland <[EMAIL PROTECTED]> wrote: 1) Is Base64 secure? [Pete] No. You need to use HTTPS for the actual transmission in order for it to be secure. Base64 is merely a way to obfuscate strings to make them not immediately human readable, i.e. in server logs etc. 2) What's the standard model of authentication in RIA? I mean.. I figure out that the process works this way: I create a JSP login.jsp file that receives username and password (HTTPService) enconded through Base64 and decode it. Ok. After that my JSP file put in the session that there's an user logged. [Pete] Close, but not quite. You really should be authenticating into the J2EE web application container itself so that you're not responsible for managing sessions or authenticating credentials. Just lock down resources with a security constraint in /WEB-INF/web.xml with auth-method set to "FORM" so that you can POST the username and password on login via HTTPService. -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
[flexcoders] Re: User authentication
Authentication is a very tricky topic in my mind. I have found that it's better to put you authentication step right in the RIA app itself and not have it a separate login page. If you insist that your login page is outside of the app then I would suggest using a token or perhaps Acegi. The advantage of acegi is that it handles the authentication to many different sources and has many checks in place to ensure that the credentials are not misused on the server side. Acegi can be difficult to set up however. If you use a token you can have the token associated with a valid credential and remote ip which will help limit unauthorized access if the token is compromised. For our Web Services we actually send login credentials with most requests. Some of our services use a token approach. IN all cases use use Acegi for authentication. We use the token in some cases because of limitations in the framework, or flash player really. File uploads don't share the session with the rest of the app in all browsers. So we use a generated token on the uploads. Our tokens expire after a short period as well. I think you will find that there is no standard way to do auth in RIA because there is no standard way to do auth on the WEB, except maybe BASIC, but that is hardly secure and not available in Flex. Paul --- In flexcoders@yahoogroups.com, "Peter Farland" <[EMAIL PROTECTED]> wrote: > > > 1) Is Base64 secure? > > [Pete] No. You need to use HTTPS for the actual transmission in order > for it to be secure. Base64 is merely a way to obfuscate strings to make > them not immediately human readable, i.e. in server logs etc. > > > 2) What's the standard model of authentication in RIA? I mean.. I figure > out that the process works this way: I create a JSP login.jsp file that > receives username and password (HTTPService) enconded through Base64 and > decode it. Ok. After that my JSP file put in the session that there's an > user logged. > > [Pete] Close, but not quite. You really should be authenticating into > the J2EE web application container itself so that you're not responsible > for managing sessions or authenticating credentials. Just lock down > resources with a security constraint in /WEB-INF/web.xml with > auth-method set to "FORM" so that you can POST the username and password > on login via HTTPService. >
RE: [flexcoders] Re: User authentication
1) Is Base64 secure? [Pete] No. You need to use HTTPS for the actual transmission in order for it to be secure. Base64 is merely a way to obfuscate strings to make them not immediately human readable, i.e. in server logs etc. 2) What's the standard model of authentication in RIA? I mean.. I figure out that the process works this way: I create a JSP login.jsp file that receives username and password (HTTPService) enconded through Base64 and decode it. Ok. After that my JSP file put in the session that there's an user logged. [Pete] Close, but not quite. You really should be authenticating into the J2EE web application container itself so that you're not responsible for managing sessions or authenticating credentials. Just lock down resources with a security constraint in /WEB-INF/web.xml with auth-method set to "FORM" so that you can POST the username and password on login via HTTPService.
Re: [flexcoders] Re: User authentication
Nathan, thanks for the reply I've found in Google that AS3 is able to encode data through Base64. It's good because my JSP web-service can easily decode it. But somethings are still obscure to me. 1) Is Base64 secure? 2) What's the standard model of authentication in RIA? I mean.. I figure out that the process works this way: I create a JSP login.jsp file that receives username and password (HTTPService) enconded through Base64 and decode it. Ok. After that my JSP file put in the session that there's an user logged. Now I can trigger a variety of web-services and the JSP will ALLOW the services to run since THERE'S A USER LOGGED. My question is: Tomcat will be able to restore a session started by the HTTPService? I mean.. is the some complication or configuration in this process? On 05 Apr 2007 06:48:19 -0700, nathanpdaniel <[EMAIL PROTECTED]> wrote: You can use the Base64Encoder class to encrypt your passwords within flex then pass via your HTTPService. If you don't have flex builder, I can help with the API of that class. Otherwise there's also the corelib.swc - I don't know where I got it from though, probably google it to find it... it has a lot more encryption stuff (MD5 for instance). Hope this helps! --- In flexcoders@yahoogroups.com , "André Rodrigues Pena" <[EMAIL PROTECTED]> wrote: > > Hi all, > > I'd like to know whats the pattern regarding user authentication in > Flex application. > In my case. I need my HTTPService to send login information (user name > and password). How can I encrypt it? How is the process? > > -- > André Rodrigues Pena > > LOCUS > www.locus.com.br > > Blog > www.techbreak.org > -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
[flexcoders] Re: User authentication
You can use the Base64Encoder class to encrypt your passwords within flex then pass via your HTTPService. If you don't have flex builder, I can help with the API of that class. Otherwise there's also the corelib.swc - I don't know where I got it from though, probably google it to find it... it has a lot more encryption stuff (MD5 for instance). Hope this helps! --- In flexcoders@yahoogroups.com, "André Rodrigues Pena" <[EMAIL PROTECTED]> wrote: > > Hi all, > > I'd like to know whats the pattern regarding user authentication in > Flex application. > In my case. I need my HTTPService to send login information (user name > and password). How can I encrypt it? How is the process? > > -- > André Rodrigues Pena > > LOCUS > www.locus.com.br > > Blog > www.techbreak.org >
[flexcoders] Re: User Authentication
You will, no doubt, get much better answers from others as I am working on the same things over here. But Flex plays in your browser's session management like anything else. In other words, it sends the same headers the browser would send when requesting something from the server. If you already have a "logged in" state on your website I'd say just host your flex application on a "secured" page. That will inherit the same authentication you use for everything else. If you want flex itself to be the application that does the user logging in -- i.e. having a login form in flex. Then you will have to build that in the application. As far as I can tell, the easiest way to force this log-in is to have a viewstack on your main page (application perhaps) that stops on the login form first, then switches the stack to the application after talking to the servers to verify the user's info. I know that's all over the place, but I hope something rings a bell for you. --- In flexcoders@yahoogroups.com, "pioplacz" <[EMAIL PROTECTED]> wrote: > > Hi! > > I was wondering if there is a use and secure way to make a user login system for any flex > app? I just want to have a login before the user can access the application. >
