I am trying to figure out the best way of implementing security & authentication. I am using tomcat, and FDS at the moment for remoting. My server side code is obviously in java.
A while back, role base security was recommended as the way to implement security. The idea being that if someone did not have the right credentials that they would be prevented from gaining access to the flex app. But my problem with this is that I want to do my authentication UI *in* flex, so I can't prevent people from getting to it before I have had a chance to authenticate. Another problem with the role based stuff is that, as I understand it, roles are maintained by the container. I am not clear how to use my account database (JDBC/Mysql) in this process. What seems easier to me is using sessions, because I can, from any server side function, request the current session of the given user. I can look to see if their session is valid, how long they have been logged on, etc. And using this methodology, I can do login in the flex application, which just sends a login message to the server, the server adds a record to my session record that indicates that I am logged in and when I logged in. This second approach seems like the best approach and the one that gives me the most flexibility. But I am looking for validation regarding my approach here. Am I doing something wrong here? Are there some reasons that the role based security would be better? Any insight from people better versed in security than I am would be greatly appreciated. Hank
