hey Dan,
Thats quite cool. Maybe you should post it on the wiki als further
reference to my tutorial.
mfg nomiad
Dan Rossi schrieb:
Finally got somewhere, this example authenticates a scripted AMF client
using the simple login file. Need to work out now how to return
temporary session hashes from acegi to reauthenticate after via the
flash client which checks the session is valid. Requires including the
spring dao jar file which the example doesnt explain.
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.math.BigInteger;
import java.util.HashMap;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.ProviderManager;
import org.acegisecurity.BadCredentialsException;
import org.red5.server.api.IScope;
import org.red5.server.api.Red5;
public class TokenService {
private String saltKey = "thesaltpass";
private String hashword;
private String newhash;
public Object getToken(Object[] token)
{
final HashMap m=(HashMap)token[0];
UsernamePasswordAuthenticationToken t=new
UsernamePasswordAuthenticationToken(m.get("username"),m.get("password"));
IScope connectionScope = Red5.getConnectionLocal().getScope();
ProviderManager
mgr=(ProviderManager)connectionScope.getContext().getBean("authenticationManager");
try {
t=(UsernamePasswordAuthenticationToken)mgr.authenticate(t);
}
catch(BadCredentialsException ex)
{
return "Wrong login information";
}
if (t.isAuthenticated())
{
return t.hashCode();
}
return "";
}
/*
public String getMessageDigest(String token) throws
NoSuchAlgorithmException
{
try {
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(token.getBytes());
BigInteger hash = new BigInteger(1, md.digest());
hashword = hash.toString(16);
} catch (NoSuchAlgorithmException e) {
}
return hashword;
}
*/
}
<?php
include 'SabreAMF/SSLClient.php';
$client = new
SabreAMF_SSLClient('http://localhost:5080/feedVOD/gateway');
// $client->setSSLCert("/www/dev/red5server.cer");
$data =
array('username'=>'admin','password'=>'secretpassword','clientID'=>'553','client_host'=>$_SERVER["SERVER_NAME"].$_SERVER['REQUEST_URI']);
$result = $client->sendRequest('feedService.getToken',array($data));
var_dump($result);
?>
Dan Rossi wrote:
Will get back to the spring soap stuff later this is kinda the idea to
authenticate the page and the client
<?php
include 'SabreAMF/Client.php';
$client = new SabreAMF_Client('https://localhost:5080/myapp/gateway');
$data =
array('username'=>'username','password'=>'2325e','clientID'=>'553','client_host'=>$_SERVER["SERVER_NAME"].$_SERVER['REQUEST_URI']);
$result = $client->sendRequest('myService.getToken',array($data));
var_dump($result);
?>
public Object getToken(Object[] token)
{
final HashMap m = (HashMap)token[0];
//check anon credentials from hibernate
// do acegi stuff in here, send back temp token
return m.get("username");
}
Dan Rossi wrote:
Just found an example here but its a soap service using WS4J is there a
soap impl in spring already ? So a php dynamic script is able to securly
do a soap request to obtain a token.
http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html
This is waay over my head but exactly how a security system may work I
think.
Dan Rossi wrote:
nomIad wrote:
Hi Dan,
Ive written the tutorial your according to.
Ive not used this on a clustered machine, but thats not that bad.
There is a possibility to share sessions in Database. Its quite fast
an reduntant secure.
On our cluster we run PHP, but we have NO clustered sessions. The
thing is that our loadbalancer distribute the clients in a same way
every time. So a client can make 1000 calls, they would all go on
Cluster 1.
Thats not redundant security, but for our needs its enough.
We dont need a REALLY HIGH AVAILABLE cluster for SESSIONS.
Ok, well currently we get 10K vod hits a day on each server maybe more,
and im not really sure on the third party streams in windows media yet
which we are porting to flash.
The problem with protecting windows media when i looked into it, its
fairly advanced for developing a token based authentication plugin in C#
using the API, but the API is poorly documented and minimal resources
and building the config management for it requires VC++. Im needing to
build something similar for red5.
I found, something on a description on exactly what I may need.
http://eirikhoem.wordpress.com/2007/05/24/ageci-token-vs-php/
IE its going to be impossible to store credential details within a
client because the flash can be decompiled and sniffed. The only method
I can come up with is using dynamic scripting which can connect to the
AMF/RCP gateway, authenticate itself with credentials over ssl, obtain
a token from acegi return the temporary token to the flash client which
its also loading into the webpage, the flash client connects to red5,
validates the token and returns a longer expiring session. If the
session expires the validation happens again.
Here was something I found about clustering acegi, however if red5
happens to get terracotta implemented we may not need this ?
http://altuure.blogspot.com/2007/04/clustering-acegi.html
I'm liking the idea of an embedded db like hibernate or whatever rather
than sql. Ie a bit overkill to run Ms Sql or oracle, and i'm not fond
running mysql on windows servers, as we use them on linux and freebsd.
cu nomIad
Dan Rossi schrieb:
Dan Rossi wrote:
Hi I found this link
http://jira.red5.org/confluence/display/docs/Red5+and+Acegi+Security so
im trying to work out how to enable acegi security in our application.
However we kind of need to auto authorize clients rather than ask for
logins. With this example how would it be possible to send some
information automatically, obtain a temporary session that the client is
validated then relogin to obtain a proper expiring session.
Looking a bit further it seems we may need the sessions shared across
all 3 of the clustered machines. Is this what we need also to use with it ?
http://www.ja-sig.org/products/cas/
_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org
------------------------------------------------------------------------
_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org
_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org
_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org
_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org
_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org
_______________________________________________
Red5 mailing list
Red5@osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org