Here is a little "mini" review of how authetication works in a J2EE container.
Authentication: Authentication is the act of supplying credentials to the server to establish your identity. In the J2EE world authentication is initiated by a "challenge" from which the client provides a "response." A challenge is initiated when a protected resource is requested from the server. Protected resources are configured in the web applications WEB-INF/web.xml file. For example: <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/secure/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> In the example above, all resources in the web application under the directory /secure are protected. When any client requests these resources, the server would challenge the user for their credentials. There are two kinds of challenges in J2EE. 1) BASIC. When configured to use BASIC the container will cause the browser to pop up the simple built in username/password dialog box. BASIC auth then stores a UUENCODED version of the password in the HTTP headers sent to the server. If sent through SSL, this is then protected from prying eyes. <login-config> <auth-method>BASIC</auth-method> <realm-name>Example BASIC-Based Authentication Area</realm-name> </login-config> 2) FORM. When configured for FORM the container will redirect the browser to a specific URI, or page. That page when must contain a form which sends two parameters (j_username and j_password) to a specific URI (/j_security_check) via a HTTP POST. Traditionally people used a HTML <form> for this, although it works just dandy from a Flex based form too. Once authenticated via form a specific cookie value is set by the container. That cookie (jsessionid) contains a unique opaque value. At each http request, the jsessionid is read and recoupled to a secure http session in the container. <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/failed_login.jsp</form-error-page> </form-login-config> </login-config> Ta da, authorization in J2EE. Now, you may ask (as I think you did) where is the user added to the system? Where is the username and password stored on the system? Well, the answer is.... It depends. Every J2EE container is different. For instance in Tomcat there is a users xml file that contains the user and their password. That said, most every container supports a "plug-in" called a JAAS module. Via JAAS you can pick and choose exactly how you container persists credentials and the logic used during a login. So for instance, in many applications we develop we use a JAAS plugin which points to a database where we store users, passwords, roles, attributes, etc. We store the passwords in a relational database hashed using a well known , broadly published and accepted one-way hashing algorithm. (Thus preventing any prying eyes from having any use for the stored hash. There is no known way to undo the hash and get the actual password). Writing a JAAS plug in may not be for the faint of heart, but I do know a consulting few world-class Java security consultants <wink>. That is how authorization works. You can seamlessly and transparantly use J2EE security inside a Flex application. That means you do not have to do *anything* in terms of developing a security framework in Flex, littering your application with security code, etc. The container can do this all for you. When the above is done under SSL encryption you will find you can develop a serious enterprise-class security infrastructure. Access control is a seperate discussion and related to the above authentication. If you or others are interested I can do a follow on post on that as well. It also sounds like it might be a good idea to add security to the Flex whitepapers we already have in our Flex Resources site? You can register for the site at https://www.cynergysystems.com/pages/how/technologies/flex/index.html -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In [email protected], [EMAIL PROTECTED] wrote: > > Do you use an http:service tag to store a password? Is this in all of your > opinions the best way to do it? > ------------------------ Yahoo! Groups Sponsor --------------------~--> 1.2 million kids a year are victims of human trafficking. Stop slavery. http://us.click.yahoo.com/WpTY2A/izNLAA/yQLSAA/nhFolB/TM --------------------------------------------------------------------~-> -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
