Hi Dimitrios,
Content of the config is pretty straight forward. There are 3 roles,
each one for accessing a separate set of functionality provided by
external applications.
This is how the web.xml security constraint looks like:
<security-constraint>
<display-name>Protect App</display-name>
<web-resource-collection>
<web-resource-name>Core Application</web-resource-name>
<url-pattern>/app/*</url-pattern>
<url-pattern>/messagebroker/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>app1users</role-name>
<role-name>app2users</role-name>
<role-name>app3users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/SecuritySandpitLogin.html</form-login-page>
<form-error-page>/login/SecuritySandpitLogin.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>app1users</role-name>
</security-role>
<security-role>
<role-name>app2users</role-name>
</security-role>
<security-role>
<role-name>app3users</role-name>
</security-role>
The services-config.xml specifies channels and security constraints in
the following way:
<?xml version="1.0" encoding="UTF-8"?>
<services-config>
<services>
<service-include file-path="remoting-config.xml"/>
</services>
<security>
<login-command
class="flex.messaging.security.WebSphereLoginCommand" server="WebSphere"/>
<!-- Uncomment the correct app server
<login-command
class="flex.messaging.security.JRunLoginCommand" server="JRun"/>
<login-command
class="flex.messaging.security.WeblogicLoginCommand" server="Weblogic"/>
<login-command
class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>
-->
<security-constraint id="app1-constraint">
<auth-method>FORM</auth-method>
<roles>
<role>app1users</role>
</roles>
</security-constraint>
<security-constraint id="app2-constraint">
<auth-method>FORM</auth-method>
<roles>
<role>app2users</role>
</roles>
</security-constraint>
<security-constraint id="app3-constraint">
<auth-method>FORM</auth-method>
<roles>
<role>app3users</role>
</roles>
</security-constraint>
<security-constraint id="login-constraint">
<auth-method>FORM</auth-method>
<roles>
<role>app1users</role>
<role>app2users</role>
<role>app3users</role>
</roles>
</security-constraint>
</security>
<channels>
<channel-definition id="my-amf"
class="mx.messaging.channels.AMFChannel">
<endpoint
uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf";
class="flex.messaging.endpoints.AMFEndpoint"/>
<properties>
<polling-enabled>false</polling-enabled>
</properties>
</channel-definition>
<channel-definition id="amf-polling"
class="mx.messaging.channels.AMFChannel">
<endpoint
uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf-polling";
class="flex.messaging.endpoints.AMFEndpoint"/>
<properties>
<polling-enabled>true</polling-enabled>
<polling-interval-seconds>10</polling-interval-seconds>
</properties>
</channel-definition>
</channels>
<logging>
<target class="flex.messaging.log.ConsoleTarget" level="debug">
<properties>
<prefix>[Flex] </prefix>
<includeDate>false</includeDate>
<includeTime>true</includeTime>
<includeLevel>false</includeLevel>
<includeCategory>false</includeCategory>
</properties>
</target>
</logging>
<system>
<redeploy>
<enabled>true</enabled>
<watch-interval>20</watch-interval>
<watch-file>{context.root}/WEB-INF/flex/remoting-config.xml</watch-file>
<watch-file>{context.root}/WEB-INF/flex/services-config.xml</watch-file>
<touch-file>{context.root}/WEB-INF/web.xml</touch-file>
</redeploy>
</system>
</services-config>
The destinations are just like below:
<destination id="app1-default">
<properties>
<source>com.mdsuk.poc.flex.destination.App1Destination</source>
</properties>
<channels>
<channel ref="my-amf"/>
</channels>
<security>
<security-constraint ref="app1-constraint"/>
</security>
</destination>
<destination id="app2-default">
<properties>
<source>com.mdsuk.poc.flex.destination.App2Destination</source>
</properties>
<channels>
<channel ref="app2-amf"/>
</channels>
<security>
<security-constraint ref="app2-constraint"/>
</security>
</destination>
<destination id="app3-default">
<properties>
<source>com.mdsuk.poc.flex.destination.App3Destination</source>
</properties>
<channels>
<channel ref="my-amf"/>
</channels>
<security>
<security-constraint ref="app3-constraint"/>
</security>
</destination>
<destination id="login-custom">
<properties>
<source>com.mdsuk.poc.flex.destination.LoginDestination</source>
</properties>
<channels>
<channel ref="my-amf"/>
</channels>
<security>
<security-constraint ref="login-constraint"/>
</security>
</destination>
For now we decided to go with Custom security since it seems to work
without any problems, however I would be glad to know why FORM-based
security does not work for us. It seems to me that Websphere and its
security mechanims do not integrate properly with Flex.
Thanks for help,
Bartek
--- In [email protected], "Dimitrios Gianninas"
<[EMAIL PROTECTED]> wrote:
>
> So both the jsp and swf are under the same context? Hmmm sounds like
it should work.
> Time to call Adobe support... dont know what else to tell you. If
something comes to mind I will.
>
> What does your services-config.xml, remoting-config.xml and web.xml
look like? the roles and such
>
> Dimitrios Gianninas
> RIA Developer
> Optimal Payments Inc.
>
>
> ________________________________
>
> From: [email protected] [mailto:[EMAIL PROTECTED]
On Behalf Of baardos
> Sent: Thursday, December 14, 2006 10:22 AM
> To: [email protected]
> Subject: [flexcoders] Re: Form-based auth on Websphere
>
>
>
> Hi Dimitrios,
>
> I've checked it and the JSESSION cookie's name remains the same and
> the path is '/' so theoreticly it should work fine...
>
> Thanks,
> Bartek
>
> --- In [email protected]
<mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas"
> <dimitrios.gianninas@> wrote:
> >
> > Your understanding is correct. My app works that way too... we have:
> >
> > https://someurl/falcon/login.jsp <https://someurl/falcon/login.jsp>
> > https://someurl/billing/billing.swf
<https://someurl/billing/billing.swf>
> >
> > So user logs in and then at some point goes to the billing.swf and
> everything works. If you try to access the swf directly all RO calls
> fail. This is on Weblogic 8.1SP3. The login page uses j_security_check
> as well. So same in your case... one thing to be careful of is that if
> your login page and swf are under different contexts then you have to
> make sure they have the same cookie name, or it wont work. Is that
> your case?
> >
> > Dimitrios Gianninas
> > RIA Developer
> > Optimal Payments Inc.
> >
> >
> > ________________________________
> >
> > From: [email protected]
<mailto:flexcoders%40yahoogroups.com>
[mailto:[email protected] <mailto:flexcoders%40yahoogroups.com> ]
> On Behalf Of baardos
> > Sent: Thursday, December 14, 2006 9:03 AM
> > To: [email protected] <mailto:flexcoders%40yahoogroups.com>
> > Subject: [flexcoders] Re: Form-based auth on Websphere
> >
> >
> >
> > Hi Dimitrios,
> >
> > Thanks for you anwser. Here I go with explanation.
> > 1. I gave it a try and it works however Tomcat does not require this.
> > 2. The login SWF could be just a HTML page with a form submitting
> > credentials for j_security_check. The idea is to protect the core app
> > in web.xml. In that way all resources are prottected: channels and
> > the app itself.
> > 3. My assumtion is that if a user is athenticated via container it
> > should maintain its credentials and should associate them with its
> > session. For a workaround in point 1, username and password can be
> > stored in a SharedObject and than retrieved in the core app.
> >
> > It seems to me that when the user submits its credentials to the
> > j_security_check they are not propagated to Flex. I've decompiled the
> > WebsphereLoginCommand and by debugging it I can see that
> > doAuthenticate method is invoked only if the setCredetials method is
> > set explicitly. Is it the way it should work? How then Tomcat's
> > behaviour should be explained - is it just a side effect?
> >
> > Cheers,
> > Bartek
> >
> > --- In [email protected]
<mailto:flexcoders%40yahoogroups.com>
> <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas"
> > <dimitrios.gianninas@> wrote:
> > >
> > > Things to try:
> > >
> > > 1) set the remote credentials on the ro in the core app for test to
> > see if it works
> > >
> > > 2) why have two SWFs?
> > >
> > > 3) the second swf doesnt have a credential info to pass to the
> > server and since you locked down the RO it is failing
> > >
> > > Dimitrios Gianninas
> > > RIA Developer
> > > Optimal Payments Inc.
> > >
> > >
> > > ________________________________
> > >
> > > From: [email protected]
<mailto:flexcoders%40yahoogroups.com>
> <mailto:flexcoders%40yahoogroups.com>
> [mailto:[email protected]
<mailto:flexcoders%40yahoogroups.com>
<mailto:flexcoders%40yahoogroups.com> ]
> > On Behalf Of baardos
> > > Sent: Tuesday, December 12, 2006 9:28 AM
> > > To: [email protected]
<mailto:flexcoders%40yahoogroups.com>
<mailto:flexcoders%40yahoogroups.com>
> > > Subject: [flexcoders] Form-based auth on Websphere
> > >
> > >
> > >
> > > Hi,
> > >
> > > I have a problem with FORM based auth on Websphere or rather what
> > > happens afterwards when I a remote object calls a destination.
> > >
> > > To give some background:
> > > The app is splitted in two applications (separate .swf files):
> > > 1. login screen
> > > 2. core app
> > >
> > > The core app is in protected area. When a user enters valid
> > > credentials in the login app it is forwarded to the core app. Then
> > > when a call to a remote object is made I am getting
> > > Client.Authentication error saying "Login required before
> > > authorization can proceed".
> > >
> > > I've noticed that if prior to sending a request user credentails are
> > > set on the remote object (with setUserCredentials method) everything
> > > works fine, however I think that it should not be necessary
since the
> > > server should maintain the credentials - at least it appers to work
> > > that way when the app is deployed to Tomcat.
> > >
> > > I would be grateful for help.
> > >
> > > Best regards,
> > > Bartek Doszczak
> > >
> > >
> > >
> > >
> > >
> > > --
> > > WARNING
> > > -------
> > > This electronic message and its attachments may contain
> > confidential, proprietary or legally privileged information, which is
> > solely for the use of the intended recipient. No privilege or other
> > rights are waived by any unintended transmission or unauthorized
> > retransmission of this message. If you are not the intended recipient
> > of this message, or if you have received it in error, you should
> > immediately stop reading this message and delete it and all
> > attachments from your system. The reading, distribution, copying or
> > other use of this message or its attachments by unintended recipients
> > is unauthorized and may be unlawful. If you have received this e-mail
> > in error, please notify the sender.
> > >
> > > AVIS IMPORTANT
> > > --------------
> > > Ce message électronique et ses pièces jointes peuvent contenir des
> > renseignements confidentiels, exclusifs ou légalement privilégiés
> > destinés au seul usage du destinataire visé. L'expéditeur original ne
> > renonce à aucun privilège ou à aucun autre droit si le présent message
> > a été transmis involontairement ou s'il est retransmis sans son
> > autorisation. Si vous n'êtes pas le destinataire visé du présent
> > message ou si vous l'avez reçu par erreur, veuillez cesser
> > immédiatement de le lire et le supprimer, ainsi que toutes ses pièces
> > jointes, de votre système. La lecture, la distribution, la copie ou
> > tout autre usage du présent message ou de ses pièces jointes par des
> > personnes autres que le destinataire visé ne sont pas autorisés et
> > pourraient être illégaux. Si vous avez reçu ce courrier électronique
> > par erreur, veuillez en aviser l'expéditeur.
> > >
> >
>
