nice work you're doing here Dan. This sound really interesting for stronger
security needs, i'll be following your steps if i have time for that!.
Cheers
Carlos
On 6/8/07, Dan Rossi <[EMAIL PROTECTED]> wrote:
Finally got somewhere, this example authenticates a scripted AMF client
using the simple login file. Need to work out now how to return
temporary session hashes from acegi to reauthenticate after via the
flash client which checks the session is valid. Requires including the
spring dao jar file which the example doesnt explain.
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.math.BigInteger;
import java.util.HashMap;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.providers.ProviderManager;
import org.acegisecurity.BadCredentialsException;
import org.red5.server.api.IScope;
import org.red5.server.api.Red5;
public class TokenService {
private String saltKey = "thesaltpass";
private String hashword;
private String newhash;
public Object getToken(Object[] token)
{
final HashMap m=(HashMap)token[0];
UsernamePasswordAuthenticationToken t=new
UsernamePasswordAuthenticationToken(m.get("username"),m.get("password"));
IScope connectionScope = Red5.getConnectionLocal().getScope();
ProviderManager
mgr=(ProviderManager)connectionScope.getContext().getBean("authenticationManager");
try {
t=(UsernamePasswordAuthenticationToken)mgr.authenticate(t);
}
catch(BadCredentialsException ex)
{
return "Wrong login information";
}
if (t.isAuthenticated())
{
return t.hashCode();
}
return "";
}
/*
public String getMessageDigest(String token) throws
NoSuchAlgorithmException
{
try {
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(token.getBytes());
BigInteger hash = new BigInteger(1, md.digest());
hashword = hash.toString(16);
} catch (NoSuchAlgorithmException e) {
}
return hashword;
}
*/
}
<?php
include 'SabreAMF/SSLClient.php';
$client = new
SabreAMF_SSLClient('http://localhost:5080/feedVOD/gateway');
// $client->setSSLCert("/www/dev/red5server.cer");
$data =
array('username'=>'admin','password'=>'secretpassword','clientID'=>'553','client_host'=>$_SERVER["SERVER_NAME"].$_SERVER['REQUEST_URI']);
$result = $client->sendRequest('feedService.getToken',array($data));
var_dump($result);
?>
Dan Rossi wrote:
> Will get back to the spring soap stuff later this is kinda the idea to
> authenticate the page and the client
>
> <?php
> include 'SabreAMF/Client.php';
>
> $client = new SabreAMF_Client('https://localhost:5080/myapp/gateway'
);
>
>
> $data =
>
array('username'=>'username','password'=>'2325e','clientID'=>'553','client_host'=>$_SERVER["SERVER_NAME"].$_SERVER['REQUEST_URI']);
> $result = $client->sendRequest('myService.getToken',array($data));
>
> var_dump($result);
>
> ?>
>
> public Object getToken(Object[] token)
> {
> final HashMap m = (HashMap)token[0];
> //check anon credentials from hibernate
> // do acegi stuff in here, send back temp token
> return m.get("username");
> }
>
>
> Dan Rossi wrote:
>
>> Just found an example here but its a soap service using WS4J is there a
>> soap impl in spring already ? So a php dynamic script is able to
securly
>> do a soap request to obtain a token.
>>
>>
http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html
>>
>> This is waay over my head but exactly how a security system may work I
>> think.
>>
>> Dan Rossi wrote:
>>
>>
>>> nomIad wrote:
>>>
>>>
>>>
>>>> Hi Dan,
>>>>
>>>> Ive written the tutorial your according to.
>>>> Ive not used this on a clustered machine, but thats not that bad.
>>>>
>>>> There is a possibility to share sessions in Database. Its quite fast
>>>> an reduntant secure.
>>>>
>>>> On our cluster we run PHP, but we have NO clustered sessions. The
>>>> thing is that our loadbalancer distribute the clients in a same way
>>>> every time. So a client can make 1000 calls, they would all go on
>>>> Cluster 1.
>>>> Thats not redundant security, but for our needs its enough.
>>>> We dont need a REALLY HIGH AVAILABLE cluster for SESSIONS.
>>>>
>>>>
>>>>
>>> Ok, well currently we get 10K vod hits a day on each server maybe
more,
>>> and im not really sure on the third party streams in windows media yet
>>> which we are porting to flash.
>>>
>>> The problem with protecting windows media when i looked into it, its
>>> fairly advanced for developing a token based authentication plugin in
C#
>>> using the API, but the API is poorly documented and minimal resources
>>> and building the config management for it requires VC++. Im needing to
>>> build something similar for red5.
>>>
>>> I found, something on a description on exactly what I may need.
>>>
>>> http://eirikhoem.wordpress.com/2007/05/24/ageci-token-vs-php/
>>>
>>> IE its going to be impossible to store credential details within a
>>> client because the flash can be decompiled and sniffed. The only
method
>>> I can come up with is using dynamic scripting which can connect to the
>>> AMF/RCP gateway, authenticate itself with credentials over
ssl, obtain
>>> a token from acegi return the temporary token to the flash client
which
>>> its also loading into the webpage, the flash client connects to red5,
>>> validates the token and returns a longer expiring session. If the
>>> session expires the validation happens again.
>>>
>>> Here was something I found about clustering acegi, however if red5
>>> happens to get terracotta implemented we may not need this ?
>>>
>>> http://altuure.blogspot.com/2007/04/clustering-acegi.html
>>>
>>> I'm liking the idea of an embedded db like hibernate or whatever
rather
>>> than sql. Ie a bit overkill to run Ms Sql or oracle, and i'm not fond
>>> running mysql on windows servers, as we use them on linux and freebsd.
>>>
>>>
>>>
>>>
>>>
>>>
>>>> cu nomIad
>>>>
>>>> Dan Rossi schrieb:
>>>>
>>>>
>>>>
>>>>> Dan Rossi wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Hi I found this link
>>>>>>
http://jira.red5.org/confluence/display/docs/Red5+and+Acegi+Security so
>>>>>> im trying to work out how to enable acegi security in our
application.
>>>>>>
>>>>>> However we kind of need to auto authorize clients rather than ask
for
>>>>>> logins. With this example how would it be possible to send some
>>>>>> information automatically, obtain a temporary session that the
client is
>>>>>> validated then relogin to obtain a proper expiring session.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Looking a bit further it seems we may need the sessions shared
across
>>>>> all 3 of the clustered machines. Is this what we need also to use
with it ?
>>>>>
>>>>> http://www.ja-sig.org/products/cas/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Red5 mailing list
>>>>> [email protected]
>>>>> http://osflash.org/mailman/listinfo/red5_osflash.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Red5 mailing list
>>>> [email protected]
>>>> http://osflash.org/mailman/listinfo/red5_osflash.org
>>>>
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Red5 mailing list
>>> [email protected]
>>> http://osflash.org/mailman/listinfo/red5_osflash.org
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Red5 mailing list
>> [email protected]
>> http://osflash.org/mailman/listinfo/red5_osflash.org
>>
>>
>>
>
>
> _______________________________________________
> Red5 mailing list
> [email protected]
> http://osflash.org/mailman/listinfo/red5_osflash.org
>
>
_______________________________________________
Red5 mailing list
[email protected]
http://osflash.org/mailman/listinfo/red5_osflash.org
--
-------------------------------------------------------------------
If a man speaks in a forest and his wife is not there, is he still wrong?
_______________________________________________
Red5 mailing list
[email protected]
http://osflash.org/mailman/listinfo/red5_osflash.org
