For NIO-based connections to the server, authentication is handled in a
container specific fashion (in your case using the TomcatLoginCommand) and the
resulting Principal returned by the container is stored in either the
FlexSession or FlexClient instance on the server corresponding to the remote
Flex client. This stored Principal is used for all authorization constraint
checks applied to LCDS destinations/etc., but because NIO endpoints don't use
container threads I suspect that JBoss' EJB container doesn't see this
Principal and can't use it for its own checks.
I'll log an enhancement request/bug for this issue.
As a workaround, you'd need to apply your security constraints at the LCDS
destination level rather than on the EJB methods directly.
Seth
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of
taze170171
Sent: Monday, June 23, 2008 3:17 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] AIR/LCDS/EJB Authentication lost when a different RTMP
worker thread is used
Hi!
I am setting up the security for Flex to work together with the EJB 3
Container security. The user should login within the AIR application
via a custom login screen and the authentication should be verified
against the configured JBoss login module. For all further ds
requests the authorization check should be done for every EJB method
by the EJB container. All EJB methods have a
@javax.annotation.security.RolesAllowed(...) anotation.
The EJBs are called within an assembler.
In principle the process works until the EJB is called by a new RTMP
worker thread. Within the new RTMP thread the principal is null and
the authorization fails.
I have setup the security as follows:
* The custom security and tomcat valve have been setup as described
in the lcds docu (copy jars, copy context.xml)
* The services-config.xml contains the following part:
...
security
login-command
class=flex.messaging.security.TomcatLoginCommand server=all /
security-constraint id=basic-read-access
auth-methodCustom/auth-method
roles
roleFLEX/role
/roles
/security-constraint
/security
...
* The data-management-config.xml contains the following part:
destination id=id
security
security-constraint ref=basic-read-access/
/security
adapter ref=java-dao /
...
* The login is performed within the mxml as follows:
var token:AsyncToken = ds.connect();
token.addResponder(
new AsyncResponder(
function():void
{
if (ds.connected)
{
var channelSet : ChannelSet = ds.channelSet;
var token : AsyncToken = channelSet.login(user, pwd);
token.addResponder(new AsyncResponder
(
function(event:ResultEvent, token:Object=null):void
{
switch(event.result)
{
case success:
Alert.show(Login success);
...
I get the success result and when the first ejb calls are performed
from the data service assembler the prinicipal is set and the
authorization works.
But if the EJB is called within another RTMP worker thread no
principal is set and the authorization fails.
How can I share the security login context over more than one worker
thread?
Thanks in advance,
taze