RE: [flexcoders] Re: Session Management using Flex

[Matt Chotin]

Tomcat is a servlet container, it does not have the full J2EE implementation.  But you can often enable J2EE features in Tomcat without a full-blown container as you’ve pointed out.   Matt   From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Knudsen Sent: Tuesday, December 06, 2005 9:05 AM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Re: Session Management using Flex   ugh, correct me if I'm way off here, I'm not, but isn't Tomcat a J2EE container?  Where is Dave Wolf on this, eh?  :)  You can implement JAAS stuffs on Tomcat and utilise this with Flex.  I think this involves something called valves in Tomcat. There is an article by Brian Diette on this that is helpful http://www.macromedia.com/devnet/flex/articles/security_framework_print.html DK On 12/6/05, Kam-Wing Pang <[EMAIL PROTECTED]> wrote: > Dave, > > Thanks! > > Any other option other than using a J2EE application server for > implementing JAAS for security? > > Are there existing features in Flex that we can utilise? > > Our application up to now has been quite simple in its deployment > using a tomcat server. We're up against time in getting it into > production, and deployment into a J2EE server at this stage may not > be right for us at the moment. > > I agree with you that utilising J2EE would be simpler. Would there be > a significant overhead migrating a previosly tomcat deployment to a > J2EE application server such as JBoss? Issues with performance etc? > We're not utilising EJB in our biz logic. The application is mainly > alot of "reads" from the database and some calculations. > > Thanks, > > Kam. > > > > --- In flexcoders@yahoogroups.com, "Dave Wolf" <[EMAIL PROTECTED]> wrote: > > > > First off, I strongly reccomend not trying to roll your own security > > solutions.  J2EE includes a very robust and well tested security > > model.  Every J2EE server supports pretty much the same level of > > security services.  There is no need to go out and develop your > own. > > Flex integrates into the normal J2EE session security extremely > well. > > > > You requirements are a bit different from the "out of the box" J2EE > > security but can be easily implemented via a JAAS plug-in extension > to > > the container. > > > > > > > So the questions: > > > > > > 1. Can the system ever know when a user has logged out in a > browser > > > environment where the user can easily close the browser without > going > > > through some sort of logging out process? > > > > > > > Yes and no. You cannot tell (easily) when someone closes their > browser > > but you can tell when their credentials are no longer valid. There > are > > events which fire when a J2EE session expires.  You could detect > that > > and remove them from a list of logged in users. > > > > > > > 2. If we implement the second option, instead of doing a major > > overhaul of > > > every method call and adding an extra parameter for the user > details > > (e.g. > > > username, password, session id etc), is there an existing flex > > functionality > > > that provide some sort of session id that we can check which will > > allow us > > > to see if the request is made from the 1st user or the 2nd user? > > > > > > > I cannot find a way to express strongly enough that the idea of > adding > > parameters to each method call to pass security credentials is a > > security whole as big as a fire truck.  This allows a man in the > > middle to very easily hijack another users session and simulate > their > > login, thereby doing things like executing transactions by > pretending > > to be someone else. > > > > If you use standard J2EE session based security flex will > > transparantly inherit the normal J2EE session. > > > > Here is how I would build this. > > > > Create a custom JAAS plugin that tracks active logins via some map. > > When a user logs in you add their id to the map.  When they log out, > > you remove it.  When their session expires automatically you remove > > it.  (yes there will be lag there).  If a user tries to login twice, > > tell the JAAS plugin to deny them. > > > > > 3. Does the AMF gateway allow some sort of session management that > > we can > > > leverage for disallowing multiple users logging in with same > > > username/password without refactoring all the backend request > methods? > > > > > > > Let the container do this.  This solution works identially over all > > data access layers as well. > > > > Flex just integrates so beautifully with J2EE security the last > thing > > you want to do is try to roll your own security, especially by > passing > > credentials all over. > > > > -- > > Dave Wolf > > Cynergy Systems, Inc. > > Macromedia Flex Alliance Partner > > http://www.cynergysystems.com > > > > Email: [EMAIL PROTECTED] > > Office: 866-CYNERGY > > > > > > > Any help would be much appreciated. > > > > > > Kam. > > > > > > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > -- Douglas Knudsen http://www.cubicleman.com this is my signature, like it? -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Web site design development Computer software development Software design and development Macromedia flex Software development best practice YAHOO! GROUPS LINKS  Visit your group "flexcoders" on the web.    To unsubscribe from this group, send an email to:  [EMAIL PROTECTED]    Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.