Hi Grant, Tom
Related to security (without mapping services)...
The latest version (see online documentation) of fluorine supports
authentication and authorization.
The authorization is similar to the one used in AMFPHP (set credentials in
flash and call your "login service" which must have an Authenticate method)
>From here fluorine follows the .NET security path: identities and
principals. You authenticate the user (with credentials got from the
setCredentials) then access the user roles (from a database for example) and
finally instantiate a FluorineIdentity or FluorinePrincipal object with
these information and return it to fluorine.
When you get a successful login result back to flash you can clear the
credentials to stop sending the credential header.
For each subsequent request fluorine will restore from the session the
user's principal.
Access control (methods) can be made
-declaratively by using the RoleAttribute on a method (for example
[Role("admin,user")] )
-programmatically as you would do in any .NET code with calling IsInRole on
the Principal object
Declarative security check should be used in existing code...as it doesn't
require to change the function's code (of course you need the source code).
If the ASP.NET application does provide aspx pages (non remoting) you
probably will have already configured the Forms authentication provider.
Please note that fluorine will bypass the Forms authentication used in a
normal asp.net application.
In this scenario the 2 solutions should be combined: when authenticating a
flash remoting request one should use the same code (to authenticate the
user and get its roles) as the one used for Forms authentication.
What is missing (other then service mapping) is to specify a number of
services to be exposed only (and restrict all the other "visible" classes
without using explicit access control)
...I cannot see why service mapping is considered secure (?)
Zoli
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 06, 2006 7:15 PM
To: [email protected]
Subject: Re: [osflash] florine
I use flourine, works great, I'm not using class mapping yet but will be
shortly.
I've also used openAMF a lot an found I get up and running with flourine
faster. The only issue you could have with flourine right now is it doesn't
map services, it exposes objects so if you have an application delpoyed and
know the name of the class and the method then you can call it through
fluorine so right now Its not secure. I have to look into this to see if
there is a simple change to the application xml to lock down flourine access
to a certain package or class.
Grant
----- Original Message -----
From: Tom Rhodes [EMAIL PROTECTED]
To: [email protected]
Sent: 2/6/06 12:08 PM
Subject: [osflash] florine
> hey all,
>
> can anyone share some experiences they have had using remoting in an
> asp.net environment please?
>
> I'm especially interested in using florine, and I'm intrigued by the
> class mapping feature as a nice way to work with an existing .net set
> of classes to produce a new front end.
>
> thanks in advance,
>
> tom.
>
>
> _______________________________________________
> osflash mailing list
> [email protected]
> http://osflash.org/mailman/listinfo/osflash_osflash.org
_______________________________________________
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org
