Note that the J2EE way to check if a user is authenticated is to ask the current HttpServletRequest object whether it has a current principal (and whether that user is in a role for programmatic authorization). You can get hold of the current request object in your RemoteObject services from the threadlocal variables from flashgateway.Gateway.
-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Barnes Sent: Wednesday, May 18, 2005 12:22 AM To: [email protected] Subject: Re: [flexcoders] Explaining Flex Log In and User Role Functionality to Java Developers Like Dave said, you could use setCredentials over the pipe to access remote methods, but for those who are anti-letting-client-side-have-username-password-stored-locally.... you can still leveridge existing session scope compliance. In that, you can make your backend handle its security model transparent to FLEX. One case is you could provide an api that asks the server a question before allowing them to continue.. eg: var doLogin:Boolean = remoteService.isAuthenticated() if(!doLogin) { // show login screen. } and... var isAllowed:Boolean = remoteService.canDeleteRowInGrid(obj.gridID) if(isAllowed) { // perform business logic } else { // perform exception logic. } Obviously thats a really verbose/plain ol simple example of the concept, but what i'm hinting at is you can leave that "stuff' to server-side. As with FLEX you are treated the same as a normal HTML page (cookies, session scopes etc). On 5/18/05, dave buhler <[EMAIL PROTECTED]> wrote: > Hi Leif, > > I had presented a similar question a few days ago regarding Flex and CF7 > which runs on j2EE. > > I can share with you what I know, but I am also looking to learn more about > security with Remoting, myself. > > You should be able to attach setCredentials to your Remote Call. I know > setCredentials is configurable with CFLogin, which compiled down to Java on > J2ee. > > Searching the Macromedia site for CFLogin and setCredentials should yield > some additional information. Also, from my recollection, you will want to > check permissions on each request before passing back data. Within Flex, you > could check permissions on the result to see if permissions have changed. > > More info here: > http://livedocs.macromedia.com/flex/15/flex_docs_en/wwhelp/wwhimpl/js/ht ml/wwhelp.htm?href=00000282.htm > > Also, the carbonFive project will have more information in depth for > remoting and Java: > > http://carbonfive.sourceforge.net/flashgatekeeper/api/com/carbonfive/fla shgateway/security/package-summary.html > > Dave > > > > > > > On 5/17/05, Leif Wells <[EMAIL PROTECTED]> wrote: > > Here's the deal. I have a client putting together a (fairly large) Flex > application; actually the company that I work for is putting together the > Flex portion and the client and another vendor is putting together the J2EE > back-end. > > > > So they come to me and say "How are we handling logging in a user. Are we > using cookies?" > > > > What we've done in the past with Flash (sorry. I know that's a dirty word > here) is have the user log in and have the server pass back a user object > that contains (among other things) a role. If the server doesn't pass the > user object, then they get the login screen again. If the user is logged in, > they see screens/forms per what level their role is set. The security on > this new application is going to need to be a bit more strict. > > > > My problem is this: I am NOT a full-time J2EE developer and the people who > are asking these questions are very experienced J2EE developers. Every time > I attempt to explain to them how we should handle user log in I appearently > am not using the correct words. Can someone either point me to a document > that explains how user log in would normally would be handled with Flex in a > J2EE environment? Or give it to me is easy to understand language so I can > relieve these guys' (and my) stress? Is there a best practice for handling > user login in a secure application? > > > > Also, they threw me a curve today: "How do we handle it if a user's role > is demoted or promoted in the middle of a session? Can we immediately change > what they see on-screen? Or can we immediately have them log off?" Any > thoughts? > > > > > > Leif > > http://www.leifwells.com > > > > ________________________________ > Yahoo! Groups Links > > > > > > To visit your group on the web, go to: > > http://groups.yahoo.com/group/flexcoders/ > > > > To unsubscribe from this group, send an email to: > > [EMAIL PROTECTED] > > > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. > > > ________________________________ > Yahoo! Groups Links > > > To visit your group on the web, go to: > http://groups.yahoo.com/group/flexcoders/ > > To unsubscribe from this group, send an email to: > [EMAIL PROTECTED] > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. -- Regards, Scott Barnes http://www.mossyblog.com http://www.flexcoder.com (Coming Soon) Yahoo! Groups Links Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
