Thanks for the info. 

First, let me clarify that this is not how we intend to do login/auth. I was
merely trying to get the LoginModule to fire without going through any
server-side/flex/proxy.

Does this process only work if we try to access a restricted resource? That
is, if the first screen in my Flex app is the login page, can I post the
form to one of my own services (remote object), manually do the
handler/loginContext process as described in login.jsp below? Or does it
need to be posted to this j_security_check? If this login module/context
succeeds (login/commit), does it matter whether this was called through my
own code or from this mysterious j_security_check? (BTW, what is
j_security_check? A jsp, url to servlet handled by container, .... I can do
the search on this myself, but if you want to answer, I'd certainly read it
:-))

Is there some standard way of handling an app that requires the user to
login prior to doing anything? For example, I see the app being launched
from a link/button on our web site. I want the login page to display. Do we
have this link/button point to some fake (or real) protected resource to
kick off the auth process?

As always, thanks for the education.

Jim

-------------------------------------------------
Jim Schneider
KJ Interactive, Inc.
1-877-370-6906
1-612-605-5399

-----Original Message-----
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Carson Hager
Sent: Wednesday, February 15, 2006 12:41 PM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)

Actually, this doesn't look correct at all. You're trying to go about
this manually and that is not how J2EE security works.  For this to
work, you have to integrate with the container which means configuring
your servlet container to delegate all J2EE authentication/authorization
to your JAAS module.  After that, you then have to secure resources
within your web application however that's done in your container. For
things like Tomcat, this is done directly in web.xml. Your situation
here will likely be different. If you are using form auth, you then
point your flex form to post to j_security_check passing in j_username
and j_password.  If you are using basic auth, you will simply be
prompted by the browser for userid/password.  Regardless of which you
choose, the order of operations in the J2EE world is the following.

1. User requests a secure resource
2. Server responds with either the page you have configured for
credentials (Form auth) or with a request to the client(browser) to
garner then login information (Basic auth).
3. User enters credentials.
4. If successful, you now have an authenticated session that the server
is intimately familiar with.

To answer the next question, you cannot force these credentials into
J2EE authentication session manually. You have to go through the
server's provided interfaces.  Unfortunately, J2EE security is much too
broad a subject to get into in this medium. I've atttempted to give you
a brief outline of the process here so that you can pursue it within the
context of your container and its capabilities.  Given the frequency of
the questions surrounding this topic, we have submitted this topic as a
candidate for an upcoming DevNet article.


Carson


____________________________________________
 
Carson Hager
Cynergy Systems, Inc.
http://www.cynergysystems.com
 
Email:  [EMAIL PROTECTED]
Office:  866-CYNERGY
Mobile: 1.703.489.6466
 


-----Original Message-----
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Jim Schneider
Sent: Wednesday, February 15, 2006 10:31 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)

Is this a valid test for this? I've verified that the login.jsp fires
the
JAAS login module and I do get the principal object back. In both jsps
(login.jsp and verify.jsp), the user/principal information is null.
(BTW,
I've tried using the JBoss-supplied DatabaseServerLoginModule and my own
to
check for differences. None)

Can we conclude from this that the JBoss JAAS module is not setting the
principal information?


Logintest.mxml
{
  <mx:Application xmlns:mx="http://www.macromedia.com/2003/mxml";
xmlns="*"> 
  <mx:Panel width="100%" height="100%" title="Login Test">
  <mx:VBox height="100%" width="100%">
        <mx:Button label="Login" click="getUrl('login.jsp',
'LoginTest')"/>
        <mx:Button label="Verify" click="getUrl('verify.jsp',
'LoginTest')"/>
  </mx:VBox>    
  </mx:Panel>   
  </mx:Application>
}

Login.jsp (snippet)
{
  <%
  Subject subject = new Subject();
  UsernamePasswordHandler handler = new
UsernamePasswordHandler(username,
password.toCharArray());
  LoginContext loginContext = new LoginContext("employee", subject,
handler);
  loginContext.login(); 
  String user = request.getRemoteUser();
  String principal = null;
  if (request.getUserPrincipal() != null)
        principal = request.getUserPrincipal().getName();
}
  %>
  Login Remote User: <%= user %><br>
  Login Principal: <%= principal %>
}

Verify.jsp
{
  <%        
  String user = request.getRemoteUser();
  String principal = null;
  if (request.getUserPrincipal() != null)
        principal = request.getUserPrincipal().getName();            
  %>
  Verify Remote User: <%= user %><br>
  Verify Principal: <%= principal %>
}


-------------------------------------------------
Jim Schneider
KJ Interactive, Inc.
1-877-370-6906
1-612-605-5399

-----Original Message-----
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Chotin
Sent: Wednesday, February 15, 2006 11:19 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)

Right, basically attempt to remove Flex from the equation for the
moment, get your JAAS module to fire using credentials you pass in using
the JSP.  Then after you've authenticated use the JSP to see if that
newly created authenticated Principal is stored in the request.  If it
isn't there then the problem is bigger than RemoteObject.

Matt

-----Original Message-----
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Carson Hager
Sent: Wednesday, February 15, 2006 9:05 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)

He's actually not suggesting either.  He's suggesting creating a test
JSP that returns the user principal objec to verify that the JSP is
within an authenticated session.

<%=request.getUserPrincipal().getName()%>

It looks like you're going through a proxy which is using another
"session". As I mentioned earlier, there are issues with the proxy and
forwarding credentials from an existing session.  Our context was the
use of web services but this could very well be what you're seeing as
well.


Carson 


____________________________________________
 
Carson Hager
Cynergy Systems, Inc.
http://www.cynergysystems.com
 
Email:  [EMAIL PROTECTED]
Office:  866-CYNERGY
Mobile: 1.703.489.6466
 


-----Original Message-----
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Jim Schneider
Sent: Wednesday, February 15, 2006 8:49 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)

Thanks for the responses. 

Sorry for my ignorance, but are you suggesting that the JSP simulate a
login
(invoking the loginContext/loginModule)? Or are you suggesting that the
JSP
set the UserPrincipal in the HTTP request (although I don't see a setter
in
the request interface API, which makes me wonder how JAAS injects the
UserPrincipal into the request, but I can probably find that somewhere).


To answer Matt's questions, no, I'm not sure JAAS successfully stores
the
principal, yes, the login module is being called, but I'll look at it
more
closely.

Thanks again,

Jim

-------------------------------------------------
Jim Schneider
EyeCodeRight, LLC
1-877-370-6906
1-612-605-5399

-----Original Message-----
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Dave Wolf
Sent: Wednesday, February 15, 2006 8:37 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)


We have, as Carson mentioned, definately seen issues where the
j_session_id is not properly propogated through the proxy.  I would
want to see, as Matt alludes to, do the credentials get propogated
when we take the proxy out of the picture.  I would create a simple
JSP page which itself returns the UserPrincipal.  Call that JSP from
within your Flex app and read the value.

-- 
Dave Wolf
Cynergy Systems, Inc.
Macromedia Flex Alliance Partner
http://www.cynergysystems.com

Email:  [EMAIL PROTECTED]
Office: 866-CYNERGY

--- In flexcoders@yahoogroups.com, "Matt Chotin" <[EMAIL PROTECTED]> wrote:
>
> You sure that JAAS successfully stores the Principal back in the user
> request?  If you did something similar via JSP would everything come
> through correctly?  I haven't played with JBoss but WebSphere for
> example failed to store the authenticated principal in the request
even
> when I went through JAAS to login my user in.  You traced to see that
> your login module is called?
> 
>  
> 
> ________________________________
> 
> From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED]
On
> Behalf Of Jim Schneider
> Sent: Tuesday, February 14, 2006 2:12 PM
> To: flexcoders@yahoogroups.com
> Subject: FW: [flexcoders] setUsernamePassword and J2EE login (bounce)
> 
>  
> 
> No one has any thoughts/ideas on this?
> 
>  
> 
> -------------------------------------------------
> 
> Jim Schneider
> 
> KJ Interactive, Inc.
> 
> 1-877-370-6906
> 
> 1-612-605-5399
> 
> ________________________________
> 
> From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED]
On
> Behalf Of Jim Schneider
> Sent: Saturday, February 04, 2006 12:01 PM
> To: flexcoders@yahoogroups.com
> Subject: RE: [flexcoders] setUsernamePassword and J2EE login
> 
>  
> 
> I finally got back to looking at this. I Instrumented my code to look
at
> flashgateway.Gateway.getHttpRequest().getRemotePrincipal() and
> getRemoteUser().  RemoteUser is empty and remote principal is null. I
> see the userid/password credentials in the amf trace from the client
> (setting UsernamePassword on the service), but nothing in the service.
> 
>  
> 
> I'm using remote objects. Remote object is a spring bean.
> 
>  
> 
> I've implemented a JAAS login module that appears to be functioning
> correctly (loginContext succeeds). 
> 
>  
> 
> Using JBoss 4.0.x.
> 
>  
> 
> Any thoughts?
> 
>  
> 
> Thanks,
> 
>  
> 
> Jim
> 
>  
> 
> ________________________________
> 
> From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED]
On
> Behalf Of Carson Hager
> Sent: Saturday, January 21, 2006 10:22 PM
> To: flexcoders@yahoogroups.com
> Subject: RE: [flexcoders] setUsernamePassword and J2EE login
> 
>  
> 
> If you use standard J2EE auth to the container, you can get the remote
> user provided you are not using the proxy. There is currently an issue
> with the proxy not forwarding the cookie in most ( all that we've seen
)
> circumstances.  We have received a fix from Adobe on this that we are
in
> the process of testing.
> 
>  
> 
> This being said, if you don't use the proxy, you'll be able to acccess
> the user without issue from within your service implementations.
Here's
> the kicker.  The AS2 VM doesn't not handle HTTP status code 500. It
> stops parsing the HTTP response when it sees a 500 which means that
you
> will never be able to get at any data that occurs due to a SOAP Fault.
> Per the web services spec, the container is required to return an HTTP
> 500 status code when returning a fault. Effectively, you can't handle
> SOAP faults when you don't use the proxy and you get that meaningless
> error message that looks like it simply couldn't connect to the
service.
> This issue is "handled" by the proxy. It changes that HTTP status code
> to 200 so that the flash player can parse the request.  This is a
kludge
> if you ask me but that's where we are today.  As a note, this is being
> addressed in FP8.5 but the fix will very likely not ( according to
Adobe
> ) be fixed in earlier versions due to backward compatibility.
> 
>  
> 
>  
> 
> Carson
> 
> ____________________________________________ 
>   
> Carson Hager 
> Cynergy Systems, Inc. 
> http://www.cynergysystems.com <http://www.cynergysystems.com/>  
>   
> Email:  [EMAIL PROTECTED] 
> Office:  866-CYNERGY 
> Mobile: 1.703.489.6466 
>   
> 
>  
> 
>  
> 
> ________________________________
> 
> From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED]
On
> Behalf Of Matt Chotin
> Sent: Saturday, January 21, 2006 7:37 PM
> To: flexcoders@yahoogroups.com
> Subject: RE: [flexcoders] setUsernamePassword and J2EE login
> 
> I think you should be able to get it from the
> flashgateway.Gateway.getHttpRequest().getRemotePrincipal() or
> getRemoteUser().
> 
>  
> 
> ________________________________
> 
> From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED]
On
> Behalf Of Jim Schneider
> Sent: Wednesday, January 18, 2006 8:32 AM
> To: flexcoders@yahoogroups.com
> Subject: [flexcoders] setUsernamePassword and J2EE login
> 
>  
> 
> After calling setUsernamePassword on a service, is this information
> "available" to the backend services (remote object or web service)? Or
> perhaps after a J2EE/JAAS login? If so, how/where?
> 
>  
> 
> We have a requirement to do a lot of logging of who's doing what in
the
> system and was wondering whether there are any alternatives to passing
a
> username/id with most/all APIs.
> 
> 
> Thanks for any help. 
> 
>  
> 
> Jim
> 
>  
> 
> 
> 
> 
> 
> --
> Flexcoders Mailing List
> FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
> Search Archives:
> http://www.mail-archive.com/flexcoders%40yahoogroups.com 
> 
> 
> 
> 
> SPONSORED LINKS 
> 
> Web site design development
>
<http://groups.yahoo.com/gads?t=ms&k=Web+site+design+development&w1=Web+
>
site+design+development&w2=Computer+software+development&w3=Software+des
>
ign+and+development&w4=Macromedia+flex&w5=Software+development+best+prac
> tice&c=5&s=166&.sig=L-4QTvxB_quFDtMyhrQaHQ>  
> 
> Computer software development
>
<http://groups.yahoo.com/gads?t=ms&k=Computer+software+development&w1=We
>
b+site+design+development&w2=Computer+software+development&w3=Software+d
>
esign+and+development&w4=Macromedia+flex&w5=Software+development+best+pr
> actice&c=5&s=166&.sig=lvQjSRfQDfWudJSe1lLjHw>  
> 
> Software design and development
>
<http://groups.yahoo.com/gads?t=ms&k=Software+design+and+development&w1=
>
Web+site+design+development&w2=Computer+software+development&w3=Software
>
+design+and+development&w4=Macromedia+flex&w5=Software+development+best+
> practice&c=5&s=166&.sig=1pMBCdo3DsJbuU9AEmO1oQ>  
> 
> Macromedia flex
>
<http://groups.yahoo.com/gads?t=ms&k=Macromedia+flex&w1=Web+site+design+
>
development&w2=Computer+software+development&w3=Software+design+and+deve
>
lopment&w4=Macromedia+flex&w5=Software+development+best+practice&c=5&s=1
> 66&.sig=OO6nPIrz7_EpZI36cYzBjw>  
> 
> Software development best practice
>
<http://groups.yahoo.com/gads?t=ms&k=Software+development+best+practice&;
>
w1=Web+site+design+development&w2=Computer+software+development&w3=Softw
>
are+design+and+development&w4=Macromedia+flex&w5=Software+development+be
> st+practice&c=5&s=166&.sig=f89quyyulIDsnABLD6IXIw>  
> 
>  
> 
>  
> 
> ________________________________
> 
> YAHOO! GROUPS LINKS 
> 
>  
> 
> *      Visit your group "flexcoders
> <http://groups.yahoo.com/group/flexcoders> " on the web.
>         
> *      To unsubscribe from this group, send an email to:
>        [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> 
>         
> *      Your use of Yahoo! Groups is subject to the Yahoo! Terms of
> Service <http://docs.yahoo.com/info/terms/> . 
> 
>  
> 
> ________________________________
>







--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives:
http://www.mail-archive.com/flexcoders%40yahoogroups.com 
Yahoo! Groups Links



 









--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives:
http://www.mail-archive.com/flexcoders%40yahoogroups.com 
Yahoo! Groups Links



 




--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives:
http://www.mail-archive.com/flexcoders%40yahoogroups.com 
Yahoo! Groups Links



 




--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives:
http://www.mail-archive.com/flexcoders%40yahoogroups.com 
Yahoo! Groups Links



 






--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives:
http://www.mail-archive.com/flexcoders%40yahoogroups.com 
Yahoo! Groups Links



 




--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com 
Yahoo! Groups Links



 






--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/flexcoders/

<*> To unsubscribe from this group, send an email to:
    [EMAIL PROTECTED]

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 



Reply via email to