I would also suggest looking in your flex install directory for examples on this. Look in resources\security.
DK On 2/15/06, Carson Hager <[EMAIL PROTECTED]> wrote: > Actually, this doesn't look correct at all. You're trying to go about > this manually and that is not how J2EE security works. For this to > work, you have to integrate with the container which means configuring > your servlet container to delegate all J2EE authentication/authorization > to your JAAS module. After that, you then have to secure resources > within your web application however that's done in your container. For > things like Tomcat, this is done directly in web.xml. Your situation > here will likely be different. If you are using form auth, you then > point your flex form to post to j_security_check passing in j_username > and j_password. If you are using basic auth, you will simply be > prompted by the browser for userid/password. Regardless of which you > choose, the order of operations in the J2EE world is the following. > > 1. User requests a secure resource > 2. Server responds with either the page you have configured for > credentials (Form auth) or with a request to the client(browser) to > garner then login information (Basic auth). > 3. User enters credentials. > 4. If successful, you now have an authenticated session that the server > is intimately familiar with. > > To answer the next question, you cannot force these credentials into > J2EE authentication session manually. You have to go through the > server's provided interfaces. Unfortunately, J2EE security is much too > broad a subject to get into in this medium. I've atttempted to give you > a brief outline of the process here so that you can pursue it within the > context of your container and its capabilities. Given the frequency of > the questions surrounding this topic, we have submitted this topic as a > candidate for an upcoming DevNet article. > > > Carson > > > ____________________________________________ > > Carson Hager > Cynergy Systems, Inc. > http://www.cynergysystems.com > > Email: [EMAIL PROTECTED] > Office: 866-CYNERGY > Mobile: 1.703.489.6466 > > > > -----Original Message----- > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Jim Schneider > Sent: Wednesday, February 15, 2006 10:31 AM > To: flexcoders@yahoogroups.com > Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login > (bounce) > > Is this a valid test for this? I've verified that the login.jsp fires > the > JAAS login module and I do get the principal object back. In both jsps > (login.jsp and verify.jsp), the user/principal information is null. > (BTW, > I've tried using the JBoss-supplied DatabaseServerLoginModule and my own > to > check for differences. None) > > Can we conclude from this that the JBoss JAAS module is not setting the > principal information? > > > Logintest.mxml > { > <mx:Application xmlns:mx="http://www.macromedia.com/2003/mxml"; > xmlns="*"> > <mx:Panel width="100%" height="100%" title="Login Test"> > <mx:VBox height="100%" width="100%"> > <mx:Button label="Login" click="getUrl('login.jsp', > 'LoginTest')"/> > <mx:Button label="Verify" click="getUrl('verify.jsp', > 'LoginTest')"/> > </mx:VBox> > </mx:Panel> > </mx:Application> > } > > Login.jsp (snippet) > { > <% > Subject subject = new Subject(); > UsernamePasswordHandler handler = new > UsernamePasswordHandler(username, > password.toCharArray()); > LoginContext loginContext = new LoginContext("employee", subject, > handler); > loginContext.login(); > String user = request.getRemoteUser(); > String principal = null; > if (request.getUserPrincipal() != null) > principal = request.getUserPrincipal().getName(); > } > %> > Login Remote User: <%= user %><br> > Login Principal: <%= principal %> > } > > Verify.jsp > { > <% > String user = request.getRemoteUser(); > String principal = null; > if (request.getUserPrincipal() != null) > principal = request.getUserPrincipal().getName(); > %> > Verify Remote User: <%= user %><br> > Verify Principal: <%= principal %> > } > > > ------------------------------------------------- > Jim Schneider > KJ Interactive, Inc. > 1-877-370-6906 > 1-612-605-5399 > > -----Original Message----- > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Matt Chotin > Sent: Wednesday, February 15, 2006 11:19 AM > To: flexcoders@yahoogroups.com > Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login > (bounce) > > Right, basically attempt to remove Flex from the equation for the > moment, get your JAAS module to fire using credentials you pass in using > the JSP. Then after you've authenticated use the JSP to see if that > newly created authenticated Principal is stored in the request. If it > isn't there then the problem is bigger than RemoteObject. > > Matt > > -----Original Message----- > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Carson Hager > Sent: Wednesday, February 15, 2006 9:05 AM > To: flexcoders@yahoogroups.com > Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login > (bounce) > > He's actually not suggesting either. He's suggesting creating a test > JSP that returns the user principal objec to verify that the JSP is > within an authenticated session. > > <%=request.getUserPrincipal().getName()%> > > It looks like you're going through a proxy which is using another > "session". As I mentioned earlier, there are issues with the proxy and > forwarding credentials from an existing session. Our context was the > use of web services but this could very well be what you're seeing as > well. > > > Carson > > > ____________________________________________ > > Carson Hager > Cynergy Systems, Inc. > http://www.cynergysystems.com > > Email: [EMAIL PROTECTED] > Office: 866-CYNERGY > Mobile: 1.703.489.6466 > > > > -----Original Message----- > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Jim Schneider > Sent: Wednesday, February 15, 2006 8:49 AM > To: flexcoders@yahoogroups.com > Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login > (bounce) > > Thanks for the responses. > > Sorry for my ignorance, but are you suggesting that the JSP simulate a > login > (invoking the loginContext/loginModule)? Or are you suggesting that the > JSP > set the UserPrincipal in the HTTP request (although I don't see a setter > in > the request interface API, which makes me wonder how JAAS injects the > UserPrincipal into the request, but I can probably find that somewhere). > > > To answer Matt's questions, no, I'm not sure JAAS successfully stores > the > principal, yes, the login module is being called, but I'll look at it > more > closely. > > Thanks again, > > Jim > > ------------------------------------------------- > Jim Schneider > EyeCodeRight, LLC > 1-877-370-6906 > 1-612-605-5399 > > -----Original Message----- > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of Dave Wolf > Sent: Wednesday, February 15, 2006 8:37 AM > To: flexcoders@yahoogroups.com > Subject: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) > > > We have, as Carson mentioned, definately seen issues where the > j_session_id is not properly propogated through the proxy. I would > want to see, as Matt alludes to, do the credentials get propogated > when we take the proxy out of the picture. I would create a simple > JSP page which itself returns the UserPrincipal. Call that JSP from > within your Flex app and read the value. > > -- > Dave Wolf > Cynergy Systems, Inc. > Macromedia Flex Alliance Partner > http://www.cynergysystems.com > > Email: [EMAIL PROTECTED] > Office: 866-CYNERGY > > --- In flexcoders@yahoogroups.com, "Matt Chotin" <[EMAIL PROTECTED]> wrote: > > > > You sure that JAAS successfully stores the Principal back in the user > > request? If you did something similar via JSP would everything come > > through correctly? I haven't played with JBoss but WebSphere for > > example failed to store the authenticated principal in the request > even > > when I went through JAAS to login my user in. You traced to see that > > your login module is called? > > > > > > > > ________________________________ > > > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] > On > > Behalf Of Jim Schneider > > Sent: Tuesday, February 14, 2006 2:12 PM > > To: flexcoders@yahoogroups.com > > Subject: FW: [flexcoders] setUsernamePassword and J2EE login (bounce) > > > > > > > > No one has any thoughts/ideas on this? > > > > > > > > ------------------------------------------------- > > > > Jim Schneider > > > > KJ Interactive, Inc. > > > > 1-877-370-6906 > > > > 1-612-605-5399 > > > > ________________________________ > > > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] > On > > Behalf Of Jim Schneider > > Sent: Saturday, February 04, 2006 12:01 PM > > To: flexcoders@yahoogroups.com > > Subject: RE: [flexcoders] setUsernamePassword and J2EE login > > > > > > > > I finally got back to looking at this. I Instrumented my code to look > at > > flashgateway.Gateway.getHttpRequest().getRemotePrincipal() and > > getRemoteUser(). RemoteUser is empty and remote principal is null. I > > see the userid/password credentials in the amf trace from the client > > (setting UsernamePassword on the service), but nothing in the service. > > > > > > > > I'm using remote objects. Remote object is a spring bean. > > > > > > > > I've implemented a JAAS login module that appears to be functioning > > correctly (loginContext succeeds). > > > > > > > > Using JBoss 4.0.x. > > > > > > > > Any thoughts? > > > > > > > > Thanks, > > > > > > > > Jim > > > > > > > > ________________________________ > > > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] > On > > Behalf Of Carson Hager > > Sent: Saturday, January 21, 2006 10:22 PM > > To: flexcoders@yahoogroups.com > > Subject: RE: [flexcoders] setUsernamePassword and J2EE login > > > > > > > > If you use standard J2EE auth to the container, you can get the remote > > user provided you are not using the proxy. There is currently an issue > > with the proxy not forwarding the cookie in most ( all that we've seen > ) > > circumstances. We have received a fix from Adobe on this that we are > in > > the process of testing. > > > > > > > > This being said, if you don't use the proxy, you'll be able to acccess > > the user without issue from within your service implementations. > Here's > > the kicker. The AS2 VM doesn't not handle HTTP status code 500. It > > stops parsing the HTTP response when it sees a 500 which means that > you > > will never be able to get at any data that occurs due to a SOAP Fault. > > Per the web services spec, the container is required to return an HTTP > > 500 status code when returning a fault. Effectively, you can't handle > > SOAP faults when you don't use the proxy and you get that meaningless > > error message that looks like it simply couldn't connect to the > service. > > This issue is "handled" by the proxy. It changes that HTTP status code > > to 200 so that the flash player can parse the request. This is a > kludge > > if you ask me but that's where we are today. As a note, this is being > > addressed in FP8.5 but the fix will very likely not ( according to > Adobe > > ) be fixed in earlier versions due to backward compatibility. > > > > > > > > > > > > Carson > > > > ____________________________________________ > > > > Carson Hager > > Cynergy Systems, Inc. > > http://www.cynergysystems.com <http://www.cynergysystems.com/> > > > > Email: [EMAIL PROTECTED] > > Office: 866-CYNERGY > > Mobile: 1.703.489.6466 > > > > > > > > > > > > > > ________________________________ > > > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] > On > > Behalf Of Matt Chotin > > Sent: Saturday, January 21, 2006 7:37 PM > > To: flexcoders@yahoogroups.com > > Subject: RE: [flexcoders] setUsernamePassword and J2EE login > > > > I think you should be able to get it from the > > flashgateway.Gateway.getHttpRequest().getRemotePrincipal() or > > getRemoteUser(). > > > > > > > > ________________________________ > > > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] > On > > Behalf Of Jim Schneider > > Sent: Wednesday, January 18, 2006 8:32 AM > > To: flexcoders@yahoogroups.com > > Subject: [flexcoders] setUsernamePassword and J2EE login > > > > > > > > After calling setUsernamePassword on a service, is this information > > "available" to the backend services (remote object or web service)? Or > > perhaps after a J2EE/JAAS login? If so, how/where? > > > > > > > > We have a requirement to do a lot of logging of who's doing what in > the > > system and was wondering whether there are any alternatives to passing > a > > username/id with most/all APIs. > > > > > > Thanks for any help. > > > > > > > > Jim > > > > > > > > > > > > > > > > -- > > Flexcoders Mailing List > > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > > Search Archives: > > http://www.mail-archive.com/flexcoders%40yahoogroups.com > > > > > > > > > > SPONSORED LINKS > > > > Web site design development > > > <http://groups.yahoo.com/gads?t=ms&k=Web+site+design+development&w1=Web+ > > > site+design+development&w2=Computer+software+development&w3=Software+des > > > ign+and+development&w4=Macromedia+flex&w5=Software+development+best+prac > > tice&c=5&s=166&.sig=L-4QTvxB_quFDtMyhrQaHQ> > > > > Computer software development > > > <http://groups.yahoo.com/gads?t=ms&k=Computer+software+development&w1=We > > > b+site+design+development&w2=Computer+software+development&w3=Software+d > > > esign+and+development&w4=Macromedia+flex&w5=Software+development+best+pr > > actice&c=5&s=166&.sig=lvQjSRfQDfWudJSe1lLjHw> > > > > Software design and development > > > <http://groups.yahoo.com/gads?t=ms&k=Software+design+and+development&w1= > > > Web+site+design+development&w2=Computer+software+development&w3=Software > > > +design+and+development&w4=Macromedia+flex&w5=Software+development+best+ > > practice&c=5&s=166&.sig=1pMBCdo3DsJbuU9AEmO1oQ> > > > > Macromedia flex > > > <http://groups.yahoo.com/gads?t=ms&k=Macromedia+flex&w1=Web+site+design+ > > > development&w2=Computer+software+development&w3=Software+design+and+deve > > > lopment&w4=Macromedia+flex&w5=Software+development+best+practice&c=5&s=1 > > 66&.sig=OO6nPIrz7_EpZI36cYzBjw> > > > > Software development best practice > > > <http://groups.yahoo.com/gads?t=ms&k=Software+development+best+practice&; > > > w1=Web+site+design+development&w2=Computer+software+development&w3=Softw > > > are+design+and+development&w4=Macromedia+flex&w5=Software+development+be > > st+practice&c=5&s=166&.sig=f89quyyulIDsnABLD6IXIw> > > > > > > > > > > > > ________________________________ > > > > YAHOO! GROUPS LINKS > > > > > > > > * Visit your group "flexcoders > > <http://groups.yahoo.com/group/flexcoders> " on the web. > > > > * To unsubscribe from this group, send an email to: > > [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> > > > > * Your use of Yahoo! Groups is subject to the Yahoo! Terms of > > Service <http://docs.yahoo.com/info/terms/> . > > > > > > > > ________________________________ > > > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: > http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: > http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: > http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: > http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: > http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com > Yahoo! Groups Links > > > > > > > -- Douglas Knudsen http://www.cubicleman.com this is my signature, like it? -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
