Custom is the right thing to use in your services-config.xml. So its working fine now? Dimitrios Gianninas RIA Developer Optimal Payments Inc.
________________________________ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of baardos Sent: Tuesday, December 19, 2006 8:55 AM To: [email protected] Subject: [flexcoders] Re: Form-based auth on Websphere Hi Dimitrios, Content of the config is pretty straight forward. There are 3 roles, each one for accessing a separate set of functionality provided by external applications. This is how the web.xml security constraint looks like: <security-constraint> <display-name>Protect App</display-name> <web-resource-collection> <web-resource-name>Core Application</web-resource-name> <url-pattern>/app/*</url-pattern> <url-pattern>/messagebroker/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>app1users</role-name> <role-name>app2users</role-name> <role-name>app3users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login/SecuritySandpitLogin.html</form-login-page> <form-error-page>/login/SecuritySandpitLogin.html</form-error-page> </form-login-config> </login-config> <security-role> <role-name>app1users</role-name> </security-role> <security-role> <role-name>app2users</role-name> </security-role> <security-role> <role-name>app3users</role-name> </security-role> The services-config.xml specifies channels and security constraints in the following way: <?xml version="1.0" encoding="UTF-8"?> <services-config> <services> <service-include file-path="remoting-config.xml"/> </services> <security> <login-command class="flex.messaging.security.WebSphereLoginCommand" server="WebSphere"/> <!-- Uncomment the correct app server <login-command class="flex.messaging.security.JRunLoginCommand" server="JRun"/> <login-command class="flex.messaging.security.WeblogicLoginCommand" server="Weblogic"/> <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/> --> <security-constraint id="app1-constraint"> <auth-method>FORM</auth-method> <roles> <role>app1users</role> </roles> </security-constraint> <security-constraint id="app2-constraint"> <auth-method>FORM</auth-method> <roles> <role>app2users</role> </roles> </security-constraint> <security-constraint id="app3-constraint"> <auth-method>FORM</auth-method> <roles> <role>app3users</role> </roles> </security-constraint> <security-constraint id="login-constraint"> <auth-method>FORM</auth-method> <roles> <role>app1users</role> <role>app2users</role> <role>app3users</role> </roles> </security-constraint> </security> <channels> <channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel"> <endpoint uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf"; class="flex.messaging.endpoints.AMFEndpoint"/> <properties> <polling-enabled>false</polling-enabled> </properties> </channel-definition> <channel-definition id="amf-polling" class="mx.messaging.channels.AMFChannel"> <endpoint uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf-polling"; class="flex.messaging.endpoints.AMFEndpoint"/> <properties> <polling-enabled>true</polling-enabled> <polling-interval-seconds>10</polling-interval-seconds> </properties> </channel-definition> </channels> <logging> <target class="flex.messaging.log.ConsoleTarget" level="debug"> <properties> <prefix>[Flex] </prefix> <includeDate>false</includeDate> <includeTime>true</includeTime> <includeLevel>false</includeLevel> <includeCategory>false</includeCategory> </properties> </target> </logging> <system> <redeploy> <enabled>true</enabled> <watch-interval>20</watch-interval> <watch-file>{context.root}/WEB-INF/flex/remoting-config.xml</watch-file> <watch-file>{context.root}/WEB-INF/flex/services-config.xml</watch-file> <touch-file>{context.root}/WEB-INF/web.xml</touch-file> </redeploy> </system> </services-config> The destinations are just like below: <destination id="app1-default"> <properties> <source>com.mdsuk.poc.flex.destination.App1Destination</source> </properties> <channels> <channel ref="my-amf"/> </channels> <security> <security-constraint ref="app1-constraint"/> </security> </destination> <destination id="app2-default"> <properties> <source>com.mdsuk.poc.flex.destination.App2Destination</source> </properties> <channels> <channel ref="app2-amf"/> </channels> <security> <security-constraint ref="app2-constraint"/> </security> </destination> <destination id="app3-default"> <properties> <source>com.mdsuk.poc.flex.destination.App3Destination</source> </properties> <channels> <channel ref="my-amf"/> </channels> <security> <security-constraint ref="app3-constraint"/> </security> </destination> <destination id="login-custom"> <properties> <source>com.mdsuk.poc.flex.destination.LoginDestination</source> </properties> <channels> <channel ref="my-amf"/> </channels> <security> <security-constraint ref="login-constraint"/> </security> </destination> For now we decided to go with Custom security since it seems to work without any problems, however I would be glad to know why FORM-based security does not work for us. It seems to me that Websphere and its security mechanims do not integrate properly with Flex. Thanks for help, Bartek --- In [email protected] <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" <[EMAIL PROTECTED]> wrote: > > So both the jsp and swf are under the same context? Hmmm sounds like it should work. > Time to call Adobe support... dont know what else to tell you. If something comes to mind I will. > > What does your services-config.xml, remoting-config.xml and web.xml look like? the roles and such > > Dimitrios Gianninas > RIA Developer > Optimal Payments Inc. > > > ________________________________ > > From: [email protected] <mailto:flexcoders%40yahoogroups.com> > [mailto:[email protected] <mailto:flexcoders%40yahoogroups.com> ] On Behalf Of baardos > Sent: Thursday, December 14, 2006 10:22 AM > To: [email protected] <mailto:flexcoders%40yahoogroups.com> > Subject: [flexcoders] Re: Form-based auth on Websphere > > > > Hi Dimitrios, > > I've checked it and the JSESSION cookie's name remains the same and > the path is '/' so theoreticly it should work fine... > > Thanks, > Bartek > > --- In [email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" > <dimitrios.gianninas@> wrote: > > > > Your understanding is correct. My app works that way too... we have: > > > > https://someurl/falcon/login.jsp <https://someurl/falcon/login.jsp> > > <https://someurl/falcon/login.jsp <https://someurl/falcon/login.jsp> > > > https://someurl/billing/billing.swf <https://someurl/billing/billing.swf> <https://someurl/billing/billing.swf <https://someurl/billing/billing.swf> > > > > > So user logs in and then at some point goes to the billing.swf and > everything works. If you try to access the swf directly all RO calls > fail. This is on Weblogic 8.1SP3. The login page uses j_security_check > as well. So same in your case... one thing to be careful of is that if > your login page and swf are under different contexts then you have to > make sure they have the same cookie name, or it wont work. Is that > your case? > > > > Dimitrios Gianninas > > RIA Developer > > Optimal Payments Inc. > > > > > > ________________________________ > > > > From: [email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> [mailto:[email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> ] > On Behalf Of baardos > > Sent: Thursday, December 14, 2006 9:03 AM > > To: [email protected] <mailto:flexcoders%40yahoogroups.com> > > <mailto:flexcoders%40yahoogroups.com> > > Subject: [flexcoders] Re: Form-based auth on Websphere > > > > > > > > Hi Dimitrios, > > > > Thanks for you anwser. Here I go with explanation. > > 1. I gave it a try and it works however Tomcat does not require this. > > 2. The login SWF could be just a HTML page with a form submitting > > credentials for j_security_check. The idea is to protect the core app > > in web.xml. In that way all resources are prottected: channels and > > the app itself. > > 3. My assumtion is that if a user is athenticated via container it > > should maintain its credentials and should associate them with its > > session. For a workaround in point 1, username and password can be > > stored in a SharedObject and than retrieved in the core app. > > > > It seems to me that when the user submits its credentials to the > > j_security_check they are not propagated to Flex. I've decompiled the > > WebsphereLoginCommand and by debugging it I can see that > > doAuthenticate method is invoked only if the setCredetials method is > > set explicitly. Is it the way it should work? How then Tomcat's > > behaviour should be explained - is it just a side effect? > > > > Cheers, > > Bartek > > > > --- In [email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" > > <dimitrios.gianninas@> wrote: > > > > > > Things to try: > > > > > > 1) set the remote credentials on the ro in the core app for test to > > see if it works > > > > > > 2) why have two SWFs? > > > > > > 3) the second swf doesnt have a credential info to pass to the > > server and since you locked down the RO it is failing > > > > > > Dimitrios Gianninas > > > RIA Developer > > > Optimal Payments Inc. > > > > > > > > > ________________________________ > > > > > > From: [email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> > [mailto:[email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> ] > > On Behalf Of baardos > > > Sent: Tuesday, December 12, 2006 9:28 AM > > > To: [email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> > > > Subject: [flexcoders] Form-based auth on Websphere > > > > > > > > > > > > Hi, > > > > > > I have a problem with FORM based auth on Websphere or rather what > > > happens afterwards when I a remote object calls a destination. > > > > > > To give some background: > > > The app is splitted in two applications (separate .swf files): > > > 1. login screen > > > 2. core app > > > > > > The core app is in protected area. When a user enters valid > > > credentials in the login app it is forwarded to the core app. Then > > > when a call to a remote object is made I am getting > > > Client.Authentication error saying "Login required before > > > authorization can proceed". > > > > > > I've noticed that if prior to sending a request user credentails are > > > set on the remote object (with setUserCredentials method) everything > > > works fine, however I think that it should not be necessary since the > > > server should maintain the credentials - at least it appers to work > > > that way when the app is deployed to Tomcat. > > > > > > I would be grateful for help. > > > > > > Best regards, > > > Bartek Doszczak > > > > > > > > > > > > > > > > > > -- > > > WARNING > > > ------- > > > This electronic message and its attachments may contain > > confidential, proprietary or legally privileged information, which is > > solely for the use of the intended recipient. No privilege or other > > rights are waived by any unintended transmission or unauthorized > > retransmission of this message. If you are not the intended recipient > > of this message, or if you have received it in error, you should > > immediately stop reading this message and delete it and all > > attachments from your system. The reading, distribution, copying or > > other use of this message or its attachments by unintended recipients > > is unauthorized and may be unlawful. If you have received this e-mail > > in error, please notify the sender. > > > > > > AVIS IMPORTANT > > > -------------- > > > Ce message électronique et ses pièces jointes peuvent contenir des > > renseignements confidentiels, exclusifs ou légalement privilégiés > > destinés au seul usage du destinataire visé. L'expéditeur original ne > > renonce à aucun privilège ou à aucun autre droit si le présent message > > a été transmis involontairement ou s'il est retransmis sans son > > autorisation. Si vous n'êtes pas le destinataire visé du présent > > message ou si vous l'avez reçu par erreur, veuillez cesser > > immédiatement de le lire et le supprimer, ainsi que toutes ses pièces > > jointes, de votre système. La lecture, la distribution, la copie ou > > tout autre usage du présent message ou de ses pièces jointes par des > > personnes autres que le destinataire visé ne sont pas autorisés et > > pourraient être illégaux. Si vous avez reçu ce courrier électronique > > par erreur, veuillez en aviser l'expéditeur. > > > > > >
