Dave, Thanks!
Any other option other than using a J2EE application server for implementing JAAS for security? Are there existing features in Flex that we can utilise? Our application up to now has been quite simple in its deployment using a tomcat server. We're up against time in getting it into production, and deployment into a J2EE server at this stage may not be right for us at the moment. I agree with you that utilising J2EE would be simpler. Would there be a significant overhead migrating a previosly tomcat deployment to a J2EE application server such as JBoss? Issues with performance etc? We're not utilising EJB in our biz logic. The application is mainly alot of "reads" from the database and some calculations. Thanks, Kam. --- In [email protected], "Dave Wolf" <[EMAIL PROTECTED]> wrote: > > First off, I strongly reccomend not trying to roll your own security > solutions. J2EE includes a very robust and well tested security > model. Every J2EE server supports pretty much the same level of > security services. There is no need to go out and develop your own. > Flex integrates into the normal J2EE session security extremely well. > > You requirements are a bit different from the "out of the box" J2EE > security but can be easily implemented via a JAAS plug-in extension to > the container. > > > > So the questions: > > > > 1. Can the system ever know when a user has logged out in a browser > > environment where the user can easily close the browser without going > > through some sort of logging out process? > > > > Yes and no. You cannot tell (easily) when someone closes their browser > but you can tell when their credentials are no longer valid. There are > events which fire when a J2EE session expires. You could detect that > and remove them from a list of logged in users. > > > > 2. If we implement the second option, instead of doing a major > overhaul of > > every method call and adding an extra parameter for the user details > (e.g. > > username, password, session id etc), is there an existing flex > functionality > > that provide some sort of session id that we can check which will > allow us > > to see if the request is made from the 1st user or the 2nd user? > > > > I cannot find a way to express strongly enough that the idea of adding > parameters to each method call to pass security credentials is a > security whole as big as a fire truck. This allows a man in the > middle to very easily hijack another users session and simulate their > login, thereby doing things like executing transactions by pretending > to be someone else. > > If you use standard J2EE session based security flex will > transparantly inherit the normal J2EE session. > > Here is how I would build this. > > Create a custom JAAS plugin that tracks active logins via some map. > When a user logs in you add their id to the map. When they log out, > you remove it. When their session expires automatically you remove > it. (yes there will be lag there). If a user tries to login twice, > tell the JAAS plugin to deny them. > > > 3. Does the AMF gateway allow some sort of session management that > we can > > leverage for disallowing multiple users logging in with same > > username/password without refactoring all the backend request methods? > > > > Let the container do this. This solution works identially over all > data access layers as well. > > Flex just integrates so beautifully with J2EE security the last thing > you want to do is try to roll your own security, especially by passing > credentials all over. > > -- > Dave Wolf > Cynergy Systems, Inc. > Macromedia Flex Alliance Partner > http://www.cynergysystems.com > > Email: [EMAIL PROTECTED] > Office: 866-CYNERGY > > > > Any help would be much appreciated. > > > > Kam. > > > ------------------------ Yahoo! Groups Sponsor --------------------~--> Most low income households are not online. Help bridge the digital divide today! http://us.click.yahoo.com/I258zB/QnQLAA/TtwFAA/nhFolB/TM --------------------------------------------------------------------~-> -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
