Charles Dale a écrit :
> Hi guys,
>
> I've been banging around solutions to this (apparently) simple problem
> for a few months. I still haven't found something I'm happy with.
>
> In our system users load Flex apps off an Apache server, authenticating
> to Apache using Single Sign-On (mod_auth_kerb against an ActiveDirectory
> server). The Flex app then loads/modifies data using HTTPServices to a
> Rails app. Apache passes the authentication details to Rails in a
> header, so I know the username in Rails and can lookup groups using LDAP
> on the AD server.
>
> My problem is: how do I quickly and securely pass the name of the logged
> in user to the Flex app running on the client? I've tried the following
> methods:
>
> 1. Use mod_rewrite to redirect the browser to
> app.swf?user=%{REMOTE_USER} and then use ExternalInterface to read the
> user parameter in Flex. -- Can get the user straight away, yay, but it's
> obviously insecure.
>
> 2. Provide a Rails action that reports the authenticated user (and
> groups). -- Not quick enough: I want to know the user straight away at
> app startup so I can display admin functions to admin users. Also the
> HTTPService call seems like unnecessary overhead to me.
>
> Any ideas how to do this? Some options I can think of but I'm not sure
> are possible:
>
> 1. Embed the username in the .swf somehow. I guess this would be a use
> for live-compiled MXML files on the server (but we don't have FDS/LCDS).
>
> 2. Configure Apache to send the username back in the HTTP headers and
> read them using ExternalInterface (possible?). Wouldn't be particularly
> secure. Although all the actual security is in Rails, so even if people
> managed to get the admin interface in Flex they couldn't use it to
> change anything on the server without the correct permissions on their
> user account.
>
> 3. Delay the startup of the Flex app until I get a result from the user
> HTTPService? I don't really want the user to wait though...
>
> 4. Use ExternalInterface to get the authenticated username from the
> browser using JavaScript. No idea if there are JavaScript functions to
> do this but would probably be the best method - no round trip to the
> server.
>
> Ta!
> Charlie
>
>
Hi Charlie,
Here is the way I do that:
1- login is made through a single component connected with the server
over https; Call it login.
2- every user has a XML file o the server; this file describes what the
user can do with your app. Call it userDescriptor
3- the app is one swf which calls login component.
It's run like this:
- app.swf is launched first but is not visible and only shows login ;
- login makes authentication over https ;
- if authentication est correct, the server returns the userDescriptor ;
- app becomes visible if userDescriptor is correct. And app's behaviour
can be binded on userDescriptor.
There is 2 ways for integrating login with app:
1- login is a swc file, including the HttpService which sends the login
and password over https. This way, app will get userDescriptor from an
eventListener listening the result event of this HttpService.
2- login is a swf file, including the same HttpService. This way login
will get the userDescriptor from its own event listener listening the
result event of HttpService and will pass the userDescriptor through a
public MXML variable of app.
If one of these patterns is convenient for you, tell me if you need more
details.
Hervé
