Doug is correct. When I referred to using a J2EE application server I referred to something like Tomcat. We are *huge* Tomcat fans (and if you track my prior rants I think my position on EJB is well known LOL).
Tomcat totally supports JAAS (yes there is a JAASRealm valve which enables your JAAS plugin). We use this in several of our applications. JAAS lets us do things like have a custom user data store (RDBMS) and to implement login rules like 1) Dictionary attack protection. We use heuristics to detect if a hacker is trying to guess passwords and lock the account out 2) Third party federated assertions. For instance, yeah they're username and password checks out with us, but lets check with a third party and make sure they're still allowed to access the system You can use JAAS inside Tomcat to do exactly what you want here. It does take a Java developer who knows how to write JAAS. -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In [email protected], Douglas Knudsen <[EMAIL PROTECTED]> wrote: > > ugh, correct me if I'm way off here, I'm not, but isn't Tomcat a J2EE > container? Where is Dave Wolf on this, eh? :) You can implement > JAAS stuffs on Tomcat and utilise this with Flex. I think this > involves something called valves in Tomcat. There is an article by > Brian Diette on this that is helpful > http://www.macromedia.com/devnet/flex/articles/security_framework_print.html > > > DK > > On 12/6/05, Kam-Wing Pang <[EMAIL PROTECTED]> wrote: > > Dave, > > > > Thanks! > > > > Any other option other than using a J2EE application server for > > implementing JAAS for security? > > > > Are there existing features in Flex that we can utilise? > > > > Our application up to now has been quite simple in its deployment > > using a tomcat server. We're up against time in getting it into > > production, and deployment into a J2EE server at this stage may not > > be right for us at the moment. > > > > I agree with you that utilising J2EE would be simpler. Would there be > > a significant overhead migrating a previosly tomcat deployment to a > > J2EE application server such as JBoss? Issues with performance etc? > > We're not utilising EJB in our biz logic. The application is mainly > > alot of "reads" from the database and some calculations. > > > > Thanks, > > > > Kam. > > > > > > > > --- In [email protected], "Dave Wolf" <[EMAIL PROTECTED]> wrote: > > > > > > First off, I strongly reccomend not trying to roll your own security > > > solutions. J2EE includes a very robust and well tested security > > > model. Every J2EE server supports pretty much the same level of > > > security services. There is no need to go out and develop your > > own. > > > Flex integrates into the normal J2EE session security extremely > > well. > > > > > > You requirements are a bit different from the "out of the box" J2EE > > > security but can be easily implemented via a JAAS plug-in extension > > to > > > the container. > > > > > > > > > > So the questions: > > > > > > > > 1. Can the system ever know when a user has logged out in a > > browser > > > > environment where the user can easily close the browser without > > going > > > > through some sort of logging out process? > > > > > > > > > > Yes and no. You cannot tell (easily) when someone closes their > > browser > > > but you can tell when their credentials are no longer valid. There > > are > > > events which fire when a J2EE session expires. You could detect > > that > > > and remove them from a list of logged in users. > > > > > > > > > > 2. If we implement the second option, instead of doing a major > > > overhaul of > > > > every method call and adding an extra parameter for the user > > details > > > (e.g. > > > > username, password, session id etc), is there an existing flex > > > functionality > > > > that provide some sort of session id that we can check which will > > > allow us > > > > to see if the request is made from the 1st user or the 2nd user? > > > > > > > > > > I cannot find a way to express strongly enough that the idea of > > adding > > > parameters to each method call to pass security credentials is a > > > security whole as big as a fire truck. This allows a man in the > > > middle to very easily hijack another users session and simulate > > their > > > login, thereby doing things like executing transactions by > > pretending > > > to be someone else. > > > > > > If you use standard J2EE session based security flex will > > > transparantly inherit the normal J2EE session. > > > > > > Here is how I would build this. > > > > > > Create a custom JAAS plugin that tracks active logins via some map. > > > When a user logs in you add their id to the map. When they log out, > > > you remove it. When their session expires automatically you remove > > > it. (yes there will be lag there). If a user tries to login twice, > > > tell the JAAS plugin to deny them. > > > > > > > 3. Does the AMF gateway allow some sort of session management that > > > we can > > > > leverage for disallowing multiple users logging in with same > > > > username/password without refactoring all the backend request > > methods? > > > > > > > > > > Let the container do this. This solution works identially over all > > > data access layers as well. > > > > > > Flex just integrates so beautifully with J2EE security the last > > thing > > > you want to do is try to roll your own security, especially by > > passing > > > credentials all over. > > > > > > -- > > > Dave Wolf > > > Cynergy Systems, Inc. > > > Macromedia Flex Alliance Partner > > > http://www.cynergysystems.com > > > > > > Email: [EMAIL PROTECTED] > > > Office: 866-CYNERGY > > > > > > > > > > Any help would be much appreciated. > > > > > > > > Kam. > > > > > > > > > > > > > > > > > > > > > > > -- > > Flexcoders Mailing List > > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > > Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com > > Yahoo! Groups Links > > > > > > > > > > > > > > > > > -- > Douglas Knudsen > http://www.cubicleman.com > this is my signature, like it? > ------------------------ Yahoo! Groups Sponsor --------------------~--> 1.2 million kids a year are victims of human trafficking. Stop slavery. http://us.click.yahoo.com/.QUssC/izNLAA/TtwFAA/nhFolB/TM --------------------------------------------------------------------~-> -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
