Hi - Sorry, I know this was a while ago, but this is a link to creating a LoginCommand that uses Spring Security(Acegi)....
http://code.google.com/p/igenko/source/browse/trunk//blazeds-spring/src/main/java/flex/messaging/security/AcegiLoginCommand.java?r=267 --- In [email protected], Seth Hodgson <shodg...@...> wrote: > > Hi Fotis, > > The client library caches credentials in order to support seamless fallback through channels in your ChannelSet that preserves your desired authenticated identity both at connect time, as well as for automatic failover across peer servers in a cluster at any point after you've initially connected. > > However, when you use a simple AMF channel, where we don't know your session (connection) has timed out until a remoting call is made but fails due to an auth constraint check, we didn't originally handle that scenario seamlessly. Now we do, when you turn on the config flag I mentioned below, and it applies to remoting calls, producer messages sends, DMS operations, etc. (basically, any outbound message that fails in processing due to an auth fault when you were previously successfully authenticated). > > In order for this to work though, you'd need to be logging in from within the Flex app so that it has access to your creds. > We provide server-side LoginCommand impls for supported app servers that plug into their various custom authentication layers and that's what Flex login requests are processed by, but we don't ship an official AcegiLoginCommand currently. I think folks in the community have implemented that though, so try Googling for it, or perhaps someone else who's written one will post a link? > > There's more detail here: http://livedocs.adobe.com/livecycle/8.2/programLC/programmer/lcds/help.html?content=services_security_2.html > > And here: http://livedocs.adobe.com/livecycle/8.2/programLC/programmer/lcds/help.html?content=services_security_5.html#348164 > > Best, > Seth > > From: [email protected] [mailto:[email protected]] On Behalf Of Fotis Chatzinikos > Sent: Tuesday, November 25, 2008 3:46 PM > To: [email protected] > Subject: Re: [flexcoders] BlazeDS - Best practice for determining if server session is invalid. > > Hi Seth, > > the following line looks quite promising: > > >>It should handle this case seamlessly, removing the need to re-prompt the user with a login dialog. > > Can you elaborate a bit? > > How is that possible? > > In my case I use spring-acegi to login, prior to the flash component, but if there is another way - ie via a flash login box and automatic re-authentication i would love a pointer on how to do it... > > Thanks, > Fotis > On Tue, Nov 25, 2008 at 11:15 PM, Seth Hodgson <shodg...@...> wrote: > Hi, > > In your services-config.xml file, within the <properties> for the channel/endpoint you app is using to issue remoting calls to the server, try turning on the following config option: > > <!-- Optional. Default is false. Setting this flag to true will cause clients > to automatically attempt to re-authenticate themselves with the server when > they send a message that fails because credentials have been reset due to server > session timeout. The failed message will be resent after re-authentication making the > session timeout transparent to the client with respect to authentication. > --> > <login-after-disconnect>true</login-after-disconnect> > > This is also exposed as the 'loginAfterDisconnect' property on Channel, if you're building your channels and ChannelSet directly in ActionScript. > > It should handle this case seamlessly, removing the need to re-prompt the user with a login dialog. > If you really want to reprompt the user, in your fault handler for your RemoteObject calls, you could watch for faults with an underlying ErrorMessage with a faultCode of "Client.Authentication" and use that to trigger transition back to your login view. > > The reason that the authenticated property doesn't change on the client is that there's no way guaranteed way for the server to notify the client when the session times out. So, it's not until you send your next request to the server that we discover that. > > Best, > Seth > > From: [email protected] [mailto:[email protected]] On Behalf Of rydellfinn > Sent: Wednesday, November 05, 2008 6:15 PM > To: [email protected] > Subject: [flexcoders] BlazeDS - Best practice for determining if server session is invalid. > > > Currently I am running BlazeDS on Tomcat, and I have a flex client > that is authenticating against a set of Remote Objects using > channelset.login(). > > As expected, if I walk away from the client for 30 minutes, the Tomcat > server invalidates the session, which of course effectively logs out > the client. > > What I would like to happen is when the server invalidates the > session, the client is returned to the login page. I can think of > different ways to accomplish this, but I was wondering if there is an > established pattern for this? > > I tried creating a timer on the client to check if the authenticated > property on the channelset was false. But I noticed that the > authenticated property never changed, even after the session invalidated. > > I'm tempted to do the same thing on the server, but instead check to > see if the session is valid, and throw an error if not. > > But I thought I'd check here first! > > Thanks in advance! > > > > -- > Fotis Chatzinikos, Ph.D. > Founder, > Phinnovation > fotis.chatzini...@..., >
