Hi guys,
I've been banging around solutions to this (apparently) simple problem
for a few months. I still haven't found something I'm happy with.
In our system users load Flex apps off an Apache server, authenticating
to Apache using Single Sign-On (mod_auth_kerb against an ActiveDirectory
server). The Flex app then loads/modifies data using HTTPServices to a
Rails app. Apache passes the authentication details to Rails in a
header, so I know the username in Rails and can lookup groups using LDAP
on the AD server.
My problem is: how do I quickly and securely pass the name of the logged
in user to the Flex app running on the client? I've tried the following
methods:
1. Use mod_rewrite to redirect the browser to
app.swf?user=%{REMOTE_USER} and then use ExternalInterface to read the
user parameter in Flex. -- Can get the user straight away, yay, but it's
obviously insecure.
2. Provide a Rails action that reports the authenticated user (and
groups). -- Not quick enough: I want to know the user straight away at
app startup so I can display admin functions to admin users. Also the
HTTPService call seems like unnecessary overhead to me.
Any ideas how to do this? Some options I can think of but I'm not sure
are possible:
1. Embed the username in the .swf somehow. I guess this would be a use
for live-compiled MXML files on the server (but we don't have FDS/LCDS).
2. Configure Apache to send the username back in the HTTP headers and
read them using ExternalInterface (possible?). Wouldn't be particularly
secure. Although all the actual security is in Rails, so even if people
managed to get the admin interface in Flex they couldn't use it to
change anything on the server without the correct permissions on their
user account.
3. Delay the startup of the Flex app until I get a result from the user
HTTPService? I don't really want the user to wait though...
4. Use ExternalInterface to get the authenticated username from the
browser using JavaScript. No idea if there are JavaScript functions to
do this but would probably be the best method - no round trip to the server.
Ta!
Charlie
