Its very involved, intense and a big PIA. I think the architecture design will work because its similar to our soap based system to allow users from external sites to access our system without logging in as it works on sessions by first obtaining a temporary server session. Its prob best not archiving this on the web because people may surely find a way around it like Windows Media DRM ;)
Storm wrote: > nice work you're doing here Dan. This sound really interesting for > stronger security needs, i'll be following your steps if i have time > for that!. > > Cheers > > Carlos > > On 6/8/07, *Dan Rossi* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Finally got somewhere, this example authenticates a scripted AMF > client > using the simple login file. Need to work out now how to return > temporary session hashes from acegi to reauthenticate after via the > flash client which checks the session is valid. Requires including > the > spring dao jar file which the example doesnt explain. > > import java.security.MessageDigest; > import java.security.NoSuchAlgorithmException; > import java.math.BigInteger; > import java.util.HashMap; > import > org.acegisecurity.providers.UsernamePasswordAuthenticationToken; > import org.acegisecurity.providers.ProviderManager; > import org.acegisecurity.BadCredentialsException; > import org.red5.server.api.IScope; > import org.red5.server.api.Red5; > > > public class TokenService { > > private String saltKey = "thesaltpass"; > private String hashword; > private String newhash; > > public Object getToken(Object[] token) > { > final HashMap m=(HashMap)token[0]; > > UsernamePasswordAuthenticationToken t=new > UsernamePasswordAuthenticationToken(m.get("username"),m.get("password")); > > IScope connectionScope = Red5.getConnectionLocal().getScope(); > > ProviderManager > > mgr=(ProviderManager)connectionScope.getContext().getBean("authenticationManager"); > try { > t=(UsernamePasswordAuthenticationToken)mgr.authenticate(t); > > > } > catch(BadCredentialsException ex) > { > return "Wrong login information"; > } > > if (t.isAuthenticated()) > { > return t.hashCode(); > } > > return ""; > > } > > /* > public String getMessageDigest(String token) throws > NoSuchAlgorithmException > { > try { > MessageDigest md = MessageDigest.getInstance("MD5"); > md.update(token.getBytes()); > BigInteger hash = new BigInteger(1, md.digest()); > hashword = hash.toString(16); > } catch (NoSuchAlgorithmException e) { > > } > return hashword; > } > */ > > } > > > <?php > include 'SabreAMF/SSLClient.php'; > > $client = new > SabreAMF_SSLClient(' http://localhost:5080/feedVOD/gateway' > <http://localhost:5080/feedVOD/gateway%27>); > // $client->setSSLCert("/www/dev/red5server.cer"); > > $data = > > array('username'=>'admin','password'=>'secretpassword','clientID'=>'553','client_host'=>$_SERVER["SERVER_NAME"].$_SERVER['REQUEST_URI']); > > $result = > $client->sendRequest('feedService.getToken',array($data)); > > var_dump($result); > > ?> > > > > Dan Rossi wrote: > > Will get back to the spring soap stuff later this is kinda the > idea to > > authenticate the page and the client > > > > <?php > > include 'SabreAMF/Client.php'; > > > > $client = new SabreAMF_Client(' > https://localhost:5080/myapp/gateway' > <https://localhost:5080/myapp/gateway%27>); > > > > > > $data = > > > > array('username'=>'username','password'=>'2325e','clientID'=>'553','client_host'=>$_SERVER["SERVER_NAME"].$_SERVER['REQUEST_URI']); > > > $result = > $client->sendRequest('myService.getToken',array($data)); > > > > var_dump($result); > > > > ?> > > > > public Object getToken(Object[] token) > > { > > final HashMap m = (HashMap)token[0]; > > //check anon credentials from hibernate > > // do acegi stuff in here, send back temp token > > return m.get("username"); > > } > > > > > > Dan Rossi wrote: > > > >> Just found an example here but its a soap service using WS4J is > there a > >> soap impl in spring already ? So a php dynamic script is able > to securly > >> do a soap request to obtain a token. > >> > >> > > http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html > > <http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html> > >> > >> This is waay over my head but exactly how a security system may > work I > >> think. > >> > >> Dan Rossi wrote: > >> > >> > >>> nomIad wrote: > >>> > >>> > >>> > >>>> Hi Dan, > >>>> > >>>> Ive written the tutorial your according to. > >>>> Ive not used this on a clustered machine, but thats not that > bad. > >>>> > >>>> There is a possibility to share sessions in Database. Its > quite fast > >>>> an reduntant secure. > >>>> > >>>> On our cluster we run PHP, but we have NO clustered sessions. > The > >>>> thing is that our loadbalancer distribute the clients in a > same way > >>>> every time. So a client can make 1000 calls, they would all go on > >>>> Cluster 1. > >>>> Thats not redundant security, but for our needs its enough. > >>>> We dont need a REALLY HIGH AVAILABLE cluster for SESSIONS. > >>>> > >>>> > >>>> > >>> Ok, well currently we get 10K vod hits a day on each server > maybe more, > >>> and im not really sure on the third party streams in windows > media yet > >>> which we are porting to flash. > >>> > >>> The problem with protecting windows media when i looked into > it, its > >>> fairly advanced for developing a token based authentication > plugin in C# > >>> using the API, but the API is poorly documented and minimal > resources > >>> and building the config management for it requires VC++. Im > needing to > >>> build something similar for red5. > >>> > >>> I found, something on a description on exactly what I may need. > >>> > >>> http://eirikhoem.wordpress.com/2007/05/24/ageci-token-vs-php/ > >>> > >>> IE its going to be impossible to store credential details within a > >>> client because the flash can be decompiled and sniffed. The > only method > >>> I can come up with is using dynamic scripting which can > connect to the > >>> AMF/RCP gateway, authenticate itself with credentials over > ssl, obtain > >>> a token from acegi return the temporary token to the flash > client which > >>> its also loading into the webpage, the flash client connects > to red5, > >>> validates the token and returns a longer expiring session. If the > >>> session expires the validation happens again. > >>> > >>> Here was something I found about clustering acegi, however if red5 > >>> happens to get terracotta implemented we may not need this ? > >>> > >>> http://altuure.blogspot.com/2007/04/clustering-acegi.html > >>> > >>> I'm liking the idea of an embedded db like hibernate or > whatever rather > >>> than sql. Ie a bit overkill to run Ms Sql or oracle, and i'm > not fond > >>> running mysql on windows servers, as we use them on linux and > freebsd. > >>> > >>> > >>> > >>> > >>> > >>> > >>>> cu nomIad > >>>> > >>>> Dan Rossi schrieb: > >>>> > >>>> > >>>> > >>>>> Dan Rossi wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> Hi I found this link > >>>>>> > http://jira.red5.org/confluence/display/docs/Red5+and+Acegi+Security > <http://jira.red5.org/confluence/display/docs/Red5+and+Acegi+Security> > so > >>>>>> im trying to work out how to enable acegi security in our > application. > >>>>>> > >>>>>> However we kind of need to auto authorize clients rather > than ask for > >>>>>> logins. With this example how would it be possible to send some > >>>>>> information automatically, obtain a temporary session that > the client is > >>>>>> validated then relogin to obtain a proper expiring session. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> Looking a bit further it seems we may need the sessions > shared across > >>>>> all 3 of the clustered machines. Is this what we need also > to use with it ? > >>>>> > >>>>> http://www.ja-sig.org/products/cas/ > <http://www.ja-sig.org/products/cas/> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Red5 mailing list > >>>>> [email protected] <mailto:[email protected]> > >>>>> http://osflash.org/mailman/listinfo/red5_osflash.org > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> > ------------------------------------------------------------------------ > >>>> > >>>> _______________________________________________ > >>>> Red5 mailing list > >>>> [email protected] <mailto:[email protected]> > >>>> http://osflash.org/mailman/listinfo/red5_osflash.org > <http://osflash.org/mailman/listinfo/red5_osflash.org> > >>>> > >>>> > >>>> > >>>> > >>> _______________________________________________ > >>> Red5 mailing list > >>> [email protected] <mailto:[email protected]> > >>> http://osflash.org/mailman/listinfo/red5_osflash.org > >>> > >>> > >>> > >>> > >> _______________________________________________ > >> Red5 mailing list > >> [email protected] <mailto:[email protected]> > >> http://osflash.org/mailman/listinfo/red5_osflash.org > >> > >> > >> > > > > > > _______________________________________________ > > Red5 mailing list > > [email protected] <mailto:[email protected]> > > http://osflash.org/mailman/listinfo/red5_osflash.org > > > > > > > _______________________________________________ > Red5 mailing list > [email protected] <mailto:[email protected]> > http://osflash.org/mailman/listinfo/red5_osflash.org > > > > > -- > ------------------------------------------------------------------- > If a man speaks in a forest and his wife is not there, is he still wrong? > ------------------------------------------------------------------------ > > _______________________________________________ > Red5 mailing list > [email protected] > http://osflash.org/mailman/listinfo/red5_osflash.org > _______________________________________________ Red5 mailing list [email protected] http://osflash.org/mailman/listinfo/red5_osflash.org
