It works fine without any problems. The only thing I was struggling with was Secure RTMP but it works fine as well now.
Thanks for your help! Cheers, Bartek --- In [email protected], "Dimitrios Gianninas" <[EMAIL PROTECTED]> wrote: > > Custom is the right thing to use in your services-config.xml. So its working fine now? > > Dimitrios Gianninas > RIA Developer > Optimal Payments Inc. > > > ________________________________ > > From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of baardos > Sent: Tuesday, December 19, 2006 8:55 AM > To: [email protected] > Subject: [flexcoders] Re: Form-based auth on Websphere > > > > Hi Dimitrios, > > Content of the config is pretty straight forward. There are 3 roles, > each one for accessing a separate set of functionality provided by > external applications. > > This is how the web.xml security constraint looks like: > > <security-constraint> > <display-name>Protect App</display-name> > <web-resource-collection> > <web-resource-name>Core Application</web-resource-name> > <url-pattern>/app/*</url-pattern> > <url-pattern>/messagebroker/*</url-pattern> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>app1users</role-name> > <role-name>app2users</role-name> > <role-name>app3users</role-name> > </auth-constraint> > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > > <form-login-page>/login/SecuritySandpitLogin.html</form-login-page> > > <form-error-page>/login/SecuritySandpitLogin.html</form-error-page> > </form-login-config> > </login-config> > > <security-role> > <role-name>app1users</role-name> > </security-role> > <security-role> > <role-name>app2users</role-name> > </security-role> > <security-role> > <role-name>app3users</role-name> > </security-role> > > The services-config.xml specifies channels and security constraints in > the following way: > > <?xml version="1.0" encoding="UTF-8"?> > <services-config> > <services> > <service-include file-path="remoting-config.xml"/> > </services> > > <security> > <login-command > class="flex.messaging.security.WebSphereLoginCommand" server="WebSphere"/> > <!-- Uncomment the correct app server > <login-command > class="flex.messaging.security.JRunLoginCommand" server="JRun"/> > <login-command > class="flex.messaging.security.WeblogicLoginCommand" server="Weblogic"/> > <login-command > class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/> > --> > <security-constraint id="app1-constraint"> > <auth-method>FORM</auth-method> > <roles> > <role>app1users</role> > </roles> > </security-constraint> > > <security-constraint id="app2-constraint"> > <auth-method>FORM</auth-method> > <roles> > <role>app2users</role> > </roles> > </security-constraint> > > <security-constraint id="app3-constraint"> > <auth-method>FORM</auth-method> > <roles> > <role>app3users</role> > </roles> > </security-constraint> > > <security-constraint id="login-constraint"> > <auth-method>FORM</auth-method> > <roles> > <role>app1users</role> > <role>app2users</role> > <role>app3users</role> > </roles> > </security-constraint> > > </security> > > <channels> > <channel-definition id="my-amf" > class="mx.messaging.channels.AMFChannel"> > <endpoint > uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf"; > class="flex.messaging.endpoints.AMFEndpoint"/> > <properties> > <polling-enabled>false</polling-enabled> > </properties> > </channel-definition> > > <channel-definition id="amf-polling" > class="mx.messaging.channels.AMFChannel"> > <endpoint > uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf-polling"; > class="flex.messaging.endpoints.AMFEndpoint"/> > <properties> > <polling-enabled>true</polling-enabled> > <polling-interval-seconds>10</polling-interval-seconds> > </properties> > </channel-definition> > </channels> > > <logging> > <target class="flex.messaging.log.ConsoleTarget" level="debug"> > <properties> > <prefix>[Flex] </prefix> > <includeDate>false</includeDate> > <includeTime>true</includeTime> > <includeLevel>false</includeLevel> > <includeCategory>false</includeCategory> > </properties> > </target> > </logging> > > <system> > <redeploy> > <enabled>true</enabled> > <watch-interval>20</watch-interval> > > <watch-file>{context.root}/WEB-INF/flex/remoting-config.xml</watch-file> > > <watch-file>{context.root}/WEB-INF/flex/services-config.xml</watch-file> > <touch-file>{context.root}/WEB-INF/web.xml</touch-file> > </redeploy> > </system> > > </services-config> > > The destinations are just like below: > > <destination id="app1-default"> > <properties> > <source>com.mdsuk.poc.flex.destination.App1Destination</source> > </properties> > <channels> > <channel ref="my-amf"/> > </channels> > <security> > <security-constraint ref="app1-constraint"/> > </security> > </destination> > > <destination id="app2-default"> > <properties> > <source>com.mdsuk.poc.flex.destination.App2Destination</source> > </properties> > <channels> > <channel ref="app2-amf"/> > </channels> > <security> > <security-constraint ref="app2-constraint"/> > </security> > </destination> > > <destination id="app3-default"> > <properties> > <source>com.mdsuk.poc.flex.destination.App3Destination</source> > </properties> > <channels> > <channel ref="my-amf"/> > </channels> > <security> > <security-constraint ref="app3-constraint"/> > </security> > </destination> > > > <destination id="login-custom"> > <properties> > <source>com.mdsuk.poc.flex.destination.LoginDestination</source> > </properties> > <channels> > <channel ref="my-amf"/> > </channels> > <security> > <security-constraint ref="login-constraint"/> > </security> > </destination> > > For now we decided to go with Custom security since it seems to work > without any problems, however I would be glad to know why FORM-based > security does not work for us. It seems to me that Websphere and its > security mechanims do not integrate properly with Flex. > > Thanks for help, > Bartek > > --- In [email protected] <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" > <dimitrios.gianninas@> wrote: > > > > So both the jsp and swf are under the same context? Hmmm sounds like > it should work. > > Time to call Adobe support... dont know what else to tell you. If > something comes to mind I will. > > > > What does your services-config.xml, remoting-config.xml and web.xml > look like? the roles and such > > > > Dimitrios Gianninas > > RIA Developer > > Optimal Payments Inc. > > > > > > ________________________________ > > > > From: [email protected] <mailto:flexcoders%40yahoogroups.com> [mailto:[email protected] <mailto:flexcoders%40yahoogroups.com> ] > On Behalf Of baardos > > Sent: Thursday, December 14, 2006 10:22 AM > > To: [email protected] <mailto:flexcoders%40yahoogroups.com> > > Subject: [flexcoders] Re: Form-based auth on Websphere > > > > > > > > Hi Dimitrios, > > > > I've checked it and the JSESSION cookie's name remains the same and > > the path is '/' so theoreticly it should work fine... > > > > Thanks, > > Bartek > > > > --- In [email protected] <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" > > <dimitrios.gianninas@> wrote: > > > > > > Your understanding is correct. My app works that way too... we have: > > > > > > https://someurl/falcon/login.jsp <https://someurl/falcon/login.jsp> <https://someurl/falcon/login.jsp <https://someurl/falcon/login.jsp> > > > > https://someurl/billing/billing.swf <https://someurl/billing/billing.swf> > <https://someurl/billing/billing.swf <https://someurl/billing/billing.swf> > > > > > > > So user logs in and then at some point goes to the billing.swf and > > everything works. If you try to access the swf directly all RO calls > > fail. This is on Weblogic 8.1SP3. The login page uses j_security_check > > as well. So same in your case... one thing to be careful of is that if > > your login page and swf are under different contexts then you have to > > make sure they have the same cookie name, or it wont work. Is that > > your case? > > > > > > Dimitrios Gianninas > > > RIA Developer > > > Optimal Payments Inc. > > > > > > > > > ________________________________ > > > > > > From: [email protected] <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> > [mailto:[email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> ] > > On Behalf Of baardos > > > Sent: Thursday, December 14, 2006 9:03 AM > > > To: [email protected] <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> > > > Subject: [flexcoders] Re: Form-based auth on Websphere > > > > > > > > > > > > Hi Dimitrios, > > > > > > Thanks for you anwser. Here I go with explanation. > > > 1. I gave it a try and it works however Tomcat does not require this. > > > 2. The login SWF could be just a HTML page with a form submitting > > > credentials for j_security_check. The idea is to protect the core app > > > in web.xml. In that way all resources are prottected: channels and > > > the app itself. > > > 3. My assumtion is that if a user is athenticated via container it > > > should maintain its credentials and should associate them with its > > > session. For a workaround in point 1, username and password can be > > > stored in a SharedObject and than retrieved in the core app. > > > > > > It seems to me that when the user submits its credentials to the > > > j_security_check they are not propagated to Flex. I've decompiled the > > > WebsphereLoginCommand and by debugging it I can see that > > > doAuthenticate method is invoked only if the setCredetials method is > > > set explicitly. Is it the way it should work? How then Tomcat's > > > behaviour should be explained - is it just a side effect? > > > > > > Cheers, > > > Bartek > > > > > > --- In [email protected] <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> > > <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" > > > <dimitrios.gianninas@> wrote: > > > > > > > > Things to try: > > > > > > > > 1) set the remote credentials on the ro in the core app for test to > > > see if it works > > > > > > > > 2) why have two SWFs? > > > > > > > > 3) the second swf doesnt have a credential info to pass to the > > > server and since you locked down the RO it is failing > > > > > > > > Dimitrios Gianninas > > > > RIA Developer > > > > Optimal Payments Inc. > > > > > > > > > > > > ________________________________ > > > > > > > > From: [email protected] <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> > > <mailto:flexcoders%40yahoogroups.com> > > [mailto:[email protected] <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> ] > > > On Behalf Of baardos > > > > Sent: Tuesday, December 12, 2006 9:28 AM > > > > To: [email protected] <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> > <mailto:flexcoders%40yahoogroups.com> > > > > Subject: [flexcoders] Form-based auth on Websphere > > > > > > > > > > > > > > > > Hi, > > > > > > > > I have a problem with FORM based auth on Websphere or rather what > > > > happens afterwards when I a remote object calls a destination. > > > > > > > > To give some background: > > > > The app is splitted in two applications (separate .swf files): > > > > 1. login screen > > > > 2. core app > > > > > > > > The core app is in protected area. When a user enters valid > > > > credentials in the login app it is forwarded to the core app. Then > > > > when a call to a remote object is made I am getting > > > > Client.Authentication error saying "Login required before > > > > authorization can proceed". > > > > > > > > I've noticed that if prior to sending a request user credentails are > > > > set on the remote object (with setUserCredentials method) everything > > > > works fine, however I think that it should not be necessary > since the > > > > server should maintain the credentials - at least it appers to work > > > > that way when the app is deployed to Tomcat. > > > > > > > > I would be grateful for help. > > > > > > > > Best regards, > > > > Bartek Doszczak > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > WARNING > > > > ------- > > > > This electronic message and its attachments may contain > > > confidential, proprietary or legally privileged information, which is > > > solely for the use of the intended recipient. No privilege or other > > > rights are waived by any unintended transmission or unauthorized > > > retransmission of this message. If you are not the intended recipient > > > of this message, or if you have received it in error, you should > > > immediately stop reading this message and delete it and all > > > attachments from your system. The reading, distribution, copying or > > > other use of this message or its attachments by unintended recipients > > > is unauthorized and may be unlawful. If you have received this e-mail > > > in error, please notify the sender. > > > > > > > > AVIS IMPORTANT > > > > -------------- > > > > Ce message électronique et ses pièces jointes peuvent contenir des > > > renseignements confidentiels, exclusifs ou légalement privilégiés > > > destinés au seul usage du destinataire visé. L'expéditeur original ne > > > renonce à aucun privilège ou à aucun autre droit si le présent message > > > a été transmis involontairement ou s'il est retransmis sans son > > > autorisation. Si vous n'êtes pas le destinataire visé du présent > > > message ou si vous l'avez reçu par erreur, veuillez cesser > > > immédiatement de le lire et le supprimer, ainsi que toutes ses pièces > > > jointes, de votre système. La lecture, la distribution, la copie ou > > > tout autre usage du présent message ou de ses pièces jointes par des > > > personnes autres que le destinataire visé ne sont pas autorisés et > > > pourraient être illégaux. Si vous avez reçu ce courrier électronique > > > par erreur, veuillez en aviser l'expéditeur. > > > > > > > > > >
