Hey Phil, It's interesting that you bring that up. That's what I was trying to do with the Socket connection. Unfortunately, and as was expected, it's disconnected from the rest of the session so subsequent web service calls aren't within the authenticated session and then challenge again. I was able to work around this by creating a way to get the session id through the socket and then invoking an httpservice with the session id properly formed. The problem is that it was arguably a security risk so I opted out of that solution. All this being said, you can also do this with form auth doing the following if you're using j2ee. 1. Request a secure resource. 2. Ignore the form login dialog that is returned. 3. Submit an httprequest to j_security_check sending j_username and j_password. 4. Check the response to see if the content returned is valid. You could have the originally requested page have some value in there that you can easily recognize as a positive response such as "ok". The kicker here is that if your session times out, at the next call you're going to get the form login page rather than the service response which will make the web service choke due to the poorly formed content. You could also look into multiple web apps that have different login mechanisms using SSO within the container. Most J2EE servers support this. Then you could have the login web app use form auth and the services web app use basic auth. When a basic auth request comes back after timeout, you can trap that pretty easily, or at least more easily than with form auth. Just a few things to think about. Carson ____________________________________________ Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com <http://www.cynergysystems.com/> Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466
________________________________ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of phipzkillah Sent: Thursday, December 14, 2006 4:00 PM To: [email protected] Subject: [flexcoders] Re: HTTP Header Web Service Authentication Carson, Thanks for your reply. I can connect to the web services as long as there is an active session open, ie: I authenticate through our web gui and keep the browser open. Can you think of a possible work-around where I can authenticate an http session before calling my web services? If I can do this, I won't need to authenticate through the web service. Any ideas? Thanks, Phil --- In [email protected] <mailto:flexcoders%40yahoogroups.com> , "Carson Hager" <[EMAIL PROTECTED]> wrote: > > The only way you can do this is through the proxy, unfortunately. I don't know if this is a limitation of the player or the flex framework. I have only been able to coax basic auth using the Socket class but that clearly won't work with web services. > > > Carson > > > > -----Original Message----- > From: [email protected] <mailto:flexcoders%40yahoogroups.com> > <[email protected] <mailto:flexcoders%40yahoogroups.com> > > To: [email protected] <mailto:flexcoders%40yahoogroups.com> > <[email protected] <mailto:flexcoders%40yahoogroups.com> > > Sent: Thu Dec 14 18:27:13 2006 > Subject: [flexcoders] Re: HTTP Header Web Service Authentication > > Dave, > > I understand that. I need to authenticate using BASIC authentication. > I have form inputs where the user enters their user name and > password. I then use base64 and encode it. > > I am stuck at this point. How can I add in an HTTP header that > includes the encoded authorization string? > > This is my current web service call: > > private function init():void{ > var ws:WebService = new WebService; > var qname:QName = new QName(null, "Authorization"); > var str:String = new String("Basic Y2xhcnVzYWRtaW46Y2xhcnVzYWRtaW4="); > var header:SOAPHeader = new SOAPHeader(qname, str); > > ws.useProxy = false; > > ws.addHeader(header);ws.loadWSDL("http://sc-vmx-03:4040/clarusipc/services/InventoryService?wsdl <http://sc-vmx-03:4040/clarusipc/services/InventoryService?wsdl> <http://sc-vmx-03:4040/clarusipc/services/InventoryService?wsdl <http://sc-vmx-03:4040/clarusipc/services/InventoryService?wsdl> > "); > ws.makeObjectsBindable = true; > > var op:Operation = ws.getOperation("getPhoneCount") as Operation; > op.arguments.projectId = 1; > op.addEventListener("result", resultHandler); > op.addEventListener("fault", faultHandler); > op.resultFormat= "e4x"; > > var call:AsyncToken = op.send(); > } > > As you can see, I can easily add a SOAP header to the request. > However, this is of no use to me â€" I need to send a HTTP Basic > authorization header. > > The header should be in the format "Authorization = Basic > Y2xhcnVzYWRtaW46Y2xhcnVzYWRtaW4=". > > Is this possible? If so, can you provide an example that illustrates > how to add a custom HTTP header into a web service request? > > Thanks, > Phil > > --- In [email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> , "Dave Wolf" <gatorj24@> wrote: > > > > > > What exactly are you trying to do. You can secure web service calls > > using standard HTTP authentication headers. We do this with both > > BASIC and FORM auth. > > > > -- > > Dave Wolf > > Cynergy Systems, Inc. > > Adobe Flex Alliance Partner > > http://www.cynergysystems.com <http://www.cynergysystems.com> > > <http://www.cynergysystems.com <http://www.cynergysystems.com> > > > http://www.cynergysystems.com/blogs <http://www.cynergysystems.com/blogs> <http://www.cynergysystems.com/blogs <http://www.cynergysystems.com/blogs> > > > > > Email: dave.wolf@ > > Office: 866-CYNERGY > > > > --- In [email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> , "phipzkillah" <pkrasko@> wrote: > > > > > > Does anyone know if it's possible to add a custom HTTP header to the > > > web service request? > > > > > > All authentication methods described through Flex seem to be oriented > > > around SOAP headers. > > > > > > Can we authenticate a web service through HTTP headers? > > > > > > This has been driving me crazy for the past few days. Any ideas or > > > suggestions?? > > > > > > -phil > > > > > >
