Re: [Red5] acegi support in red5

Fri, 08 Jun 2007 04:52:54 -0700 

hey Dan,
Thats quite cool. Maybe you should post it on the wiki als further reference to my tutorial. 

mfg nomiad

Dan Rossi schrieb:

Finally got somewhere, this example authenticates a scripted AMF client 
using the simple login file. Need to work out now how to return 
temporary session hashes from acegi to reauthenticate after via the 
flash client which checks the session is valid. Requires including the 
spring dao jar file which the example doesnt explain.


import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.math.BigInteger;
import java.util.HashMap;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.ProviderManager;
import org.acegisecurity.BadCredentialsException;
import org.red5.server.api.IScope;
import org.red5.server.api.Red5;


public class TokenService {

   
    private String saltKey = "thesaltpass";

    private String hashword;
    private String newhash;

   
    public Object getToken(Object[] token)

    {
        final HashMap m=(HashMap)token[0];

       
        UsernamePasswordAuthenticationToken t=new 
UsernamePasswordAuthenticationToken(m.get("username"),m.get("password"));
       
        IScope connectionScope = Red5.getConnectionLocal().getScope();
       
        ProviderManager 
mgr=(ProviderManager)connectionScope.getContext().getBean("authenticationManager");

        try {
            t=(UsernamePasswordAuthenticationToken)mgr.authenticate(t);

        }
        catch(BadCredentialsException ex)
        {
            return "Wrong login information";
        }

       
        if (t.isAuthenticated())

        {
            return t.hashCode();
        }

       
        return "";
       
    }
   
    /*
    public String getMessageDigest(String token) throws 
NoSuchAlgorithmException

    {
        try {
            MessageDigest md = MessageDigest.getInstance("MD5");
            md.update(token.getBytes());
            BigInteger hash = new BigInteger(1, md.digest());
            hashword = hash.toString(16);
        } catch (NoSuchAlgorithmException e) {

           
        }

        return hashword;
    }
    */

}


<?php
    include 'SabreAMF/SSLClient.php';

 
    $client = new 
SabreAMF_SSLClient('http://localhost:5080/feedVOD/gateway');

   // $client->setSSLCert("/www/dev/red5server.cer");

 
    $data = 
array('username'=>'admin','password'=>'secretpassword','clientID'=>'553','client_host'=>$_SERVER["SERVER_NAME"].$_SERVER['REQUEST_URI']);

    $result = $client->sendRequest('feedService.getToken',array($data));

  
    var_dump($result);


?>



Dan Rossi wrote:

  

Will get back to the spring soap stuff later this is kinda the idea to 
authenticate the page and the client


<?php
    include 'SabreAMF/Client.php';

 
    $client = new SabreAMF_Client('https://localhost:5080/myapp/gateway');
    
 
    $data = 
array('username'=>'username','password'=>'2325e','clientID'=>'553','client_host'=>$_SERVER["SERVER_NAME"].$_SERVER['REQUEST_URI']);

    $result = $client->sendRequest('myService.getToken',array($data));

  
    var_dump($result);


?>

    public Object getToken(Object[] token)
    {
        final HashMap m = (HashMap)token[0];
        //check anon credentials from hibernate
       // do acegi stuff in here, send back temp token
       return m.get("username");
    }


Dan Rossi wrote:

  
    

Just found an example here but its a soap service using WS4J is there a 
soap impl in spring already ? So a php dynamic script is able to securly 
do a soap request to obtain a token.


http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html


This is waay over my head but exactly how a security system may work I 
think.


Dan Rossi wrote:

  
    
      

nomIad wrote:

  
    
      
        

Hi Dan,

Ive written the tutorial your according to.
Ive not used this on a clustered machine, but thats not that bad.


There is a possibility to share sessions in Database. Its quite fast 
an reduntant secure.



On our cluster we run PHP, but we have NO clustered sessions. The 
thing is that our loadbalancer distribute the clients in a same way 
every time. So a client can make 1000 calls, they would all go on 
Cluster 1.

Thats not redundant security, but for our needs its enough.
We dont need a REALLY HIGH AVAILABLE cluster for SESSIONS.

    
      
        
          

Ok, well currently we get 10K vod hits a day on each server maybe more, 
and im not really sure on the third party streams in windows media yet 
which we are porting to flash.



The problem with protecting windows media when i looked into it,  its 
fairly advanced for developing a token based authentication plugin in C# 
using the API, but the API is poorly documented and minimal resources 
and building the config management for it requires VC++. Im needing to 
build something similar for red5.


I found, something on a description on exactly what I may need.

http://eirikhoem.wordpress.com/2007/05/24/ageci-token-vs-php/


IE its going to be impossible to store credential details within a 
client because the flash can be decompiled and sniffed. The only method 
I can come up with is using dynamic scripting which can connect to the 
AMF/RCP gateway, authenticate itself with credentials over ssl,  obtain 
a token from acegi return the temporary token to the flash client which 
its also loading into the webpage, the flash client connects to red5, 
validates the token and returns a longer expiring session. If the 
session expires the validation happens again.



Here was something I found about clustering acegi, however if red5 
happens to get terracotta implemented we may not need this ?


http://altuure.blogspot.com/2007/04/clustering-acegi.html


I'm liking the idea of an embedded db like hibernate or whatever rather 
than sql. Ie a bit overkill to run Ms Sql or oracle, and i'm not fond 
running mysql on windows servers, as we use them on linux and freebsd.





  
    
      
        

cu nomIad

Dan Rossi schrieb:

    
      
        
          

Dan Rossi wrote:

  
      
        
          
            

Hi I found this link 
http://jira.red5.org/confluence/display/docs/Red5+and+Acegi+Security so 
im trying to work out how to enable acegi security in our application.



However we kind of need to auto authorize clients rather than ask for 
logins. With this example how would it be possible to send some 
information automatically, obtain a temporary session that the client is 
validated then relogin to obtain a proper expiring session.




  
    
        
          
            
              

Looking a bit further it seems we may need the sessions shared across 
all 3 of the clustered machines. Is this what we need also to use with it ?


http://www.ja-sig.org/products/cas/




_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org


  
      
        
          
            

------------------------------------------------------------------------

_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org

  
    
      
        
          

_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org


  
    
      
        

_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org


  
    
      

_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org


  
    



_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org


  



_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org



























					Reply via email to