ugh, correct me if I'm way off here, I'm not, but isn't Tomcat a J2EE container? Where is Dave Wolf on this, eh? :) You can implement JAAS stuffs on Tomcat and utilise this with Flex. I think this involves something called valves in Tomcat. There is an article by Brian Diette on this that is helpful http://www.macromedia.com/devnet/flex/articles/security_framework_print.html
DK On 12/6/05, Kam-Wing Pang <[EMAIL PROTECTED]> wrote: > Dave, > > Thanks! > > Any other option other than using a J2EE application server for > implementing JAAS for security? > > Are there existing features in Flex that we can utilise? > > Our application up to now has been quite simple in its deployment > using a tomcat server. We're up against time in getting it into > production, and deployment into a J2EE server at this stage may not > be right for us at the moment. > > I agree with you that utilising J2EE would be simpler. Would there be > a significant overhead migrating a previosly tomcat deployment to a > J2EE application server such as JBoss? Issues with performance etc? > We're not utilising EJB in our biz logic. The application is mainly > alot of "reads" from the database and some calculations. > > Thanks, > > Kam. > > > > --- In flexcoders@yahoogroups.com, "Dave Wolf" <[EMAIL PROTECTED]> wrote: > > > > First off, I strongly reccomend not trying to roll your own security > > solutions. J2EE includes a very robust and well tested security > > model. Every J2EE server supports pretty much the same level of > > security services. There is no need to go out and develop your > own. > > Flex integrates into the normal J2EE session security extremely > well. > > > > You requirements are a bit different from the "out of the box" J2EE > > security but can be easily implemented via a JAAS plug-in extension > to > > the container. > > > > > > > So the questions: > > > > > > 1. Can the system ever know when a user has logged out in a > browser > > > environment where the user can easily close the browser without > going > > > through some sort of logging out process? > > > > > > > Yes and no. You cannot tell (easily) when someone closes their > browser > > but you can tell when their credentials are no longer valid. There > are > > events which fire when a J2EE session expires. You could detect > that > > and remove them from a list of logged in users. > > > > > > > 2. If we implement the second option, instead of doing a major > > overhaul of > > > every method call and adding an extra parameter for the user > details > > (e.g. > > > username, password, session id etc), is there an existing flex > > functionality > > > that provide some sort of session id that we can check which will > > allow us > > > to see if the request is made from the 1st user or the 2nd user? > > > > > > > I cannot find a way to express strongly enough that the idea of > adding > > parameters to each method call to pass security credentials is a > > security whole as big as a fire truck. This allows a man in the > > middle to very easily hijack another users session and simulate > their > > login, thereby doing things like executing transactions by > pretending > > to be someone else. > > > > If you use standard J2EE session based security flex will > > transparantly inherit the normal J2EE session. > > > > Here is how I would build this. > > > > Create a custom JAAS plugin that tracks active logins via some map. > > When a user logs in you add their id to the map. When they log out, > > you remove it. When their session expires automatically you remove > > it. (yes there will be lag there). If a user tries to login twice, > > tell the JAAS plugin to deny them. > > > > > 3. Does the AMF gateway allow some sort of session management that > > we can > > > leverage for disallowing multiple users logging in with same > > > username/password without refactoring all the backend request > methods? > > > > > > > Let the container do this. This solution works identially over all > > data access layers as well. > > > > Flex just integrates so beautifully with J2EE security the last > thing > > you want to do is try to roll your own security, especially by > passing > > credentials all over. > > > > -- > > Dave Wolf > > Cynergy Systems, Inc. > > Macromedia Flex Alliance Partner > > http://www.cynergysystems.com > > > > Email: [EMAIL PROTECTED] > > Office: 866-CYNERGY > > > > > > > Any help would be much appreciated. > > > > > > Kam. > > > > > > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > -- Douglas Knudsen http://www.cubicleman.com this is my signature, like it? ------------------------ Yahoo! Groups Sponsor --------------------~--> Get Bzzzy! (real tools to help you find a job). Welcome to the Sweet Life. http://us.click.yahoo.com/KIlPFB/vlQLAA/TtwFAA/nhFolB/TM --------------------------------------------------------------------~-> -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/