For NIO-based connections to the server, authentication is handled in a container specific fashion (in your case using the TomcatLoginCommand) and the resulting Principal returned by the container is stored in either the FlexSession or FlexClient instance on the server corresponding to the remote Flex client. This stored Principal is used for all authorization constraint checks applied to LCDS destinations/etc., but because NIO endpoints don't use container threads I suspect that JBoss' EJB container doesn't see this Principal and can't use it for its own checks.
I'll log an enhancement request/bug for this issue. As a workaround, you'd need to apply your security constraints at the LCDS destination level rather than on the EJB methods directly. Seth From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of taze170171 Sent: Monday, June 23, 2008 3:17 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] AIR/LCDS/EJB Authentication lost when a different RTMP worker thread is used Hi! I am setting up the security for Flex to work together with the EJB 3 Container security. The user should login within the AIR application via a custom login screen and the authentication should be verified against the configured JBoss login module. For all further ds requests the authorization check should be done for every EJB method by the EJB container. All EJB methods have a @javax.annotation.security.RolesAllowed(...) anotation. The EJBs are called within an assembler. In principle the process works until the EJB is called by a new RTMP worker thread. Within the new RTMP thread the principal is null and the authorization fails. I have setup the security as follows: * The custom security and tomcat valve have been setup as described in the lcds docu (copy jars, copy context.xml) * The services-config.xml contains the following part: ... <security> <login-command class="flex.messaging.security.TomcatLoginCommand" server="all" /> <security-constraint id="basic-read-access"> <auth-method>Custom</auth-method> <roles> <role>FLEX</role> </roles> </security-constraint> </security> ... * The data-management-config.xml contains the following part: <destination id="id"> <security> <security-constraint ref="basic-read-access"/> </security> <adapter ref="java-dao" /> ... * The login is performed within the mxml as follows: var token:AsyncToken = ds.connect(); token.addResponder( new AsyncResponder( function():void { if (ds.connected) { var channelSet : ChannelSet = ds.channelSet; var token : AsyncToken = channelSet.login("user", "pwd"); token.addResponder(new AsyncResponder ( function(event:ResultEvent, token:Object=null):void { switch(event.result) { case "success": Alert.show("Login success"); ... I get the success result and when the first ejb calls are performed from the data service assembler the prinicipal is set and the authorization works. But if the EJB is called within another RTMP worker thread no principal is set and the authorization fails. How can I share the security login context over more than one worker thread? Thanks in advance, taze