First off, I strongly reccomend not trying to roll your own security solutions. J2EE includes a very robust and well tested security model. Every J2EE server supports pretty much the same level of security services. There is no need to go out and develop your own. Flex integrates into the normal J2EE session security extremely well.
You requirements are a bit different from the "out of the box" J2EE security but can be easily implemented via a JAAS plug-in extension to the container. > So the questions: > > 1. Can the system ever know when a user has logged out in a browser > environment where the user can easily close the browser without going > through some sort of logging out process? > Yes and no. You cannot tell (easily) when someone closes their browser but you can tell when their credentials are no longer valid. There are events which fire when a J2EE session expires. You could detect that and remove them from a list of logged in users. > 2. If we implement the second option, instead of doing a major overhaul of > every method call and adding an extra parameter for the user details (e.g. > username, password, session id etc), is there an existing flex functionality > that provide some sort of session id that we can check which will allow us > to see if the request is made from the 1st user or the 2nd user? > I cannot find a way to express strongly enough that the idea of adding parameters to each method call to pass security credentials is a security whole as big as a fire truck. This allows a man in the middle to very easily hijack another users session and simulate their login, thereby doing things like executing transactions by pretending to be someone else. If you use standard J2EE session based security flex will transparantly inherit the normal J2EE session. Here is how I would build this. Create a custom JAAS plugin that tracks active logins via some map. When a user logs in you add their id to the map. When they log out, you remove it. When their session expires automatically you remove it. (yes there will be lag there). If a user tries to login twice, tell the JAAS plugin to deny them. > 3. Does the AMF gateway allow some sort of session management that we can > leverage for disallowing multiple users logging in with same > username/password without refactoring all the backend request methods? > Let the container do this. This solution works identially over all data access layers as well. Flex just integrates so beautifully with J2EE security the last thing you want to do is try to roll your own security, especially by passing credentials all over. -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY > Any help would be much appreciated. > > Kam. > ------------------------ Yahoo! Groups Sponsor --------------------~--> Most low income households are not online. Help bridge the digital divide today! http://us.click.yahoo.com/I258zB/QnQLAA/TtwFAA/nhFolB/TM --------------------------------------------------------------------~-> -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
