[flexcoders] Re: Form-based auth on Websphere
It works fine without any problems. The only thing I was struggling
with was Secure RTMP but it works fine as well now.
Thanks for your help!
Cheers,
Bartek
--- In flexcoders@yahoogroups.com, "Dimitrios Gianninas"
<[EMAIL PROTECTED]> wrote:
>
> Custom is the right thing to use in your services-config.xml. So its
working fine now?
>
> Dimitrios Gianninas
> RIA Developer
> Optimal Payments Inc.
>
>
>
>
> From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of baardos
> Sent: Tuesday, December 19, 2006 8:55 AM
> To: flexcoders@yahoogroups.com
> Subject: [flexcoders] Re: Form-based auth on Websphere
>
>
>
> Hi Dimitrios,
>
> Content of the config is pretty straight forward. There are 3 roles,
> each one for accessing a separate set of functionality provided by
> external applications.
>
> This is how the web.xml security constraint looks like:
>
>
> Protect App
>
> Core Application
> /app/*
> /messagebroker/*
> DELETE
> GET
> POST
> PUT
>
>
> app1users
> app2users
> app3users
>
>
>
>
> FORM
>
>
> /login/SecuritySandpitLogin.html
>
> /login/SecuritySandpitLogin.html
>
>
>
>
> app1users
>
>
> app2users
>
>
> app3users
>
>
> The services-config.xml specifies channels and security constraints in
> the following way:
>
>
>
>
>
>
>
>
> class="flex.messaging.security.WebSphereLoginCommand"
server="WebSphere"/>
>
>
> FORM
>
> app1users
>
>
>
>
> FORM
>
> app2users
>
>
>
>
> FORM
>
> app3users
>
>
>
>
> FORM
>
> app1users
> app2users
> app3users
>
>
>
>
>
>
> class="mx.messaging.channels.AMFChannel">
>
uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf";
> class="flex.messaging.endpoints.AMFEndpoint"/>
>
> false
>
>
>
> class="mx.messaging.channels.AMFChannel">
>
uri="http://{server.name}:{server.port}/{context.root}/messagebroker/amf-polling";
> class="flex.messaging.endpoints.AMFEndpoint"/>
>
> true
> 10
>
>
>
>
>
>
>
> [Flex]
> false
> true
> false
> false
>
>
>
>
>
>
> true
> 20
>
> {context.root}/WEB-INF/flex/remoting-config.xml
>
> {context.root}/WEB-INF/flex/services-config.xml
> {context.root}/WEB-INF/web.xml
>
>
>
>
>
> The destinations are just like below:
>
>
>
> com.mdsuk.poc.flex.destination.App1Destination
>
>
>
>
>
>
>
>
>
>
>
> com.mdsuk.poc.flex.destination.App2Destination
>
>
>
>
>
>
>
>
>
>
>
> com.mdsuk.poc.flex.destination.App3Destination
>
>
>
>
>
>
>
>
>
>
>
>
> com.mdsuk.poc.flex.destination.LoginDestination
>
>
>
>
>
>
>
>
>
> For now we decided to go with Custom security since it seems to work
> without any problems, however I would be glad to know why FORM-based
> security does not work for us. It seems to me that Websphere and its
> security mechanims do not integrate properly with Flex.
>
> Thanks for help,
> Bartek
>
> --- In flexcoders@yahoogroups.com
<mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas"
> wrote:
> >
> > So both the jsp and swf are under the same context? Hmmm sounds like
> it should work.
> > Time to call Adobe support... dont know what else to tell you. If
> something comes to mind I will.
> >
> > What does your services-config.xml, remoting-config.xml and web.xml
> look like? the roles and such
> >
> > Dimitrios Gianninas
> > RIA Developer
> > Optimal Payments Inc.
> >
> >
> >
> >
> > From: flexcoders@yahoogroups.com
<mailto:flexcoders%40yahoogroups.com>
[mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> ]
> On Behalf Of baardos
> > Sent: Thursday, December 14, 2006 10:22 AM
> > To: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com>
> > Subject: [flexcoders] Re: Form-based auth on Websphere
> >
> >
> >
> > Hi Dimitrios,
> >
> > I've checked it and the JSESSION cookie's name remains the same and
> > the path is '/' so theoreticly it should work fine...
> >
> > Thanks,
> > Bartek
> >
>
RE: [flexcoders] Re: Form-based auth on Websphere
Custom is the right thing to use in your services-config.xml. So its working
fine now?
Dimitrios Gianninas
RIA Developer
Optimal Payments Inc.
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of baardos
Sent: Tuesday, December 19, 2006 8:55 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] Re: Form-based auth on Websphere
Hi Dimitrios,
Content of the config is pretty straight forward. There are 3 roles,
each one for accessing a separate set of functionality provided by
external applications.
This is how the web.xml security constraint looks like:
Protect App
Core Application
/app/*
/messagebroker/*
DELETE
GET
POST
PUT
app1users
app2users
app3users
FORM
/login/SecuritySandpitLogin.html
/login/SecuritySandpitLogin.html
app1users
app2users
app3users
The services-config.xml specifies channels and security constraints in
the following way:
FORM
app1users
FORM
app2users
FORM
app3users
FORM
app1users
app2users
app3users
http://{server.name}:{server.port}/{context.root}/messagebroker/amf";
class="flex.messaging.endpoints.AMFEndpoint"/>
false
http://{server.name}:{server.port}/{context.root}/messagebroker/amf-polling";
class="flex.messaging.endpoints.AMFEndpoint"/>
true
10
[Flex]
false
true
false
false
true
20
{context.root}/WEB-INF/flex/remoting-config.xml
{context.root}/WEB-INF/flex/services-config.xml
{context.root}/WEB-INF/web.xml
The destinations are just like below:
com.mdsuk.poc.flex.destination.App1Destination
com.mdsuk.poc.flex.destination.App2Destination
com.mdsuk.poc.flex.destination.App3Destination
com.mdsuk.poc.flex.destination.LoginDestination
For now we decided to go with Custom security since it seems to work
without any problems, however I would be glad to know why FORM-based
security does not work for us. It seems to me that Websphere and its
security mechanims do not integrate properly with Flex.
Thanks for help,
Bartek
--- In flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> ,
"Dimitrios Gianninas"
<[EMAIL PROTECTED]> wrote:
>
> So both the jsp and swf are under the same context? Hmmm sounds like
it should work.
> Time to call Adobe support... dont know what else to tell you. If
something comes to mind I will.
>
> What does your services-config.xml, remoting-config.xml and web.xml
look like? the roles and such
>
> Dimitrios Gianninas
> RIA Developer
> Optimal Payments Inc.
>
>
>
>
> From: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com>
> [mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> ]
On Behalf Of baardos
> Sent: Thursday, December 14, 2006 10:22 AM
> To: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com>
> Subject: [flexcoders] Re: Form-based auth on Websphere
>
>
>
> Hi Dimitrios,
>
> I've checked it and the JSESSION cookie's name remains the same and
> the path is '/' so theoreticly it should work fine...
>
> Thanks,
> Bartek
>
> --- In flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com>
<mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas"
> wrote:
> >
> > Your understanding is correct. My app works that way too... we have:
> >
> > https://someurl/falcon/login.jsp <https://someurl/falcon/login.jsp>
> > <https://someurl/falcon/login.jsp <https://someurl/falcon/login.jsp> >
> > https://someurl/billing/billing.swf <https://someurl/billing/billing.swf>
<https://someurl/billing/billing.swf <https://someurl/billing/billing.swf> >
> >
> > So user logs in and then at some point goes to the billing.swf and
> everything works. If you try to access the swf directly all RO calls
> fail. This is on Weblogic 8.1SP3. The login page uses j_security_check
> as well. So same in your case... one thing to be careful of is that if
> your login page and swf are under different contexts then you have to
> make sure they have the same cookie name, or it wont work. Is that
> your case?
> >
> > Dimitrios Gianninas
> > RIA Developer
> > Optimal Payments Inc.
> >
> >
> >
> >
> > From: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com>
<mailto:flexcoders%40yahoogroups.com>
[mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com>
<mailto:flexcoders%40yahoogroups.com> ]
> On Behalf Of baardos
> > Sent: Thursday, December 14, 2006 9:03 AM
> > To: flexcoders@yahoogroups.com <mailto:flexcode
[flexcoders] Re: Form-based auth on Websphere
Hi Dimitrios,
Content of the config is pretty straight forward. There are 3 roles,
each one for accessing a separate set of functionality provided by
external applications.
This is how the web.xml security constraint looks like:
Protect App
Core Application
/app/*
/messagebroker/*
DELETE
GET
POST
PUT
app1users
app2users
app3users
FORM
/login/SecuritySandpitLogin.html
/login/SecuritySandpitLogin.html
app1users
app2users
app3users
The services-config.xml specifies channels and security constraints in
the following way:
FORM
app1users
FORM
app2users
FORM
app3users
FORM
app1users
app2users
app3users
http://{server.name}:{server.port}/{context.root}/messagebroker/amf";
class="flex.messaging.endpoints.AMFEndpoint"/>
false
http://{server.name}:{server.port}/{context.root}/messagebroker/amf-polling";
class="flex.messaging.endpoints.AMFEndpoint"/>
true
10
[Flex]
false
true
false
false
true
20
{context.root}/WEB-INF/flex/remoting-config.xml
{context.root}/WEB-INF/flex/services-config.xml
{context.root}/WEB-INF/web.xml
The destinations are just like below:
com.mdsuk.poc.flex.destination.App1Destination
com.mdsuk.poc.flex.destination.App2Destination
com.mdsuk.poc.flex.destination.App3Destination
com.mdsuk.poc.flex.destination.LoginDestination
For now we decided to go with Custom security since it seems to work
without any problems, however I would be glad to know why FORM-based
security does not work for us. It seems to me that Websphere and its
security mechanims do not integrate properly with Flex.
Thanks for help,
Bartek
--- In flexcoders@yahoogroups.com, "Dimitrios Gianninas"
<[EMAIL PROTECTED]> wrote:
>
> So both the jsp and swf are under the same context? Hmmm sounds like
it should work.
> Time to call Adobe support... dont know what else to tell you. If
something comes to mind I will.
>
> What does your services-config.xml, remoting-config.xml and web.xml
look like? the roles and such
>
> Dimitrios Gianninas
> RIA Developer
> Optimal Payments Inc.
>
>
>
>
> From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of baardos
> Sent: Thursday, December 14, 2006 10:22 AM
> To: flexcoders@yahoogroups.com
> Subject: [flexcoders] Re: Form-based auth on Websphere
>
>
>
> Hi Dimitrios,
>
> I've checked it and the JSESSION cookie's name remains the same and
> the path is '/' so theoreticly it should work fine...
>
> Thanks,
> Bartek
>
> --- In flexcoders@yahoogroups.com
<mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas"
> wrote:
>
RE: [flexcoders] Re: Form-based auth on Websphere
So both the jsp and swf are under the same context? Hmmm sounds like it should work. Time to call Adobe support... dont know what else to tell you. If something comes to mind I will. What does your services-config.xml, remoting-config.xml and web.xml look like? the roles and such Dimitrios Gianninas RIA Developer Optimal Payments Inc. From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of baardos Sent: Thursday, December 14, 2006 10:22 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Form-based auth on Websphere Hi Dimitrios, I've checked it and the JSESSION cookie's name remains the same and the path is '/' so theoreticly it should work fine... Thanks, Bartek --- In flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" <[EMAIL PROTECTED]> wrote: > > Your understanding is correct. My app works that way too... we have: > > https://someurl/falcon/login.jsp <https://someurl/falcon/login.jsp> > https://someurl/billing/billing.swf <https://someurl/billing/billing.swf> > > So user logs in and then at some point goes to the billing.swf and everything works. If you try to access the swf directly all RO calls fail. This is on Weblogic 8.1SP3. The login page uses j_security_check as well. So same in your case... one thing to be careful of is that if your login page and swf are under different contexts then you have to make sure they have the same cookie name, or it wont work. Is that your case? > > Dimitrios Gianninas > RIA Developer > Optimal Payments Inc. > > > > > From: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> > [mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> ] On Behalf Of baardos > Sent: Thursday, December 14, 2006 9:03 AM > To: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> > Subject: [flexcoders] Re: Form-based auth on Websphere > > > > Hi Dimitrios, > > Thanks for you anwser. Here I go with explanation. > 1. I gave it a try and it works however Tomcat does not require this. > 2. The login SWF could be just a HTML page with a form submitting > credentials for j_security_check. The idea is to protect the core app > in web.xml. In that way all resources are prottected: channels and > the app itself. > 3. My assumtion is that if a user is athenticated via container it > should maintain its credentials and should associate them with its > session. For a workaround in point 1, username and password can be > stored in a SharedObject and than retrieved in the core app. > > It seems to me that when the user submits its credentials to the > j_security_check they are not propagated to Flex. I've decompiled the > WebsphereLoginCommand and by debugging it I can see that > doAuthenticate method is invoked only if the setCredetials method is > set explicitly. Is it the way it should work? How then Tomcat's > behaviour should be explained - is it just a side effect? > > Cheers, > Bartek > > --- In flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" > wrote: > > > > Things to try: > > > > 1) set the remote credentials on the ro in the core app for test to > see if it works > > > > 2) why have two SWFs? > > > > 3) the second swf doesnt have a credential info to pass to the > server and since you locked down the RO it is failing > > > > Dimitrios Gianninas > > RIA Developer > > Optimal Payments Inc. > > > > > > > > > > From: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> [mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> <mailto:flexcoders%40yahoogroups.com> ] > On Behalf Of baardos > > Sent: Tuesday, December 12, 2006 9:28 AM > > To: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> > > <mailto:flexcoders%40yahoogroups.com> > > Subject: [flexcoders] Form-based auth on Websphere > > > > > > > > Hi, > > > > I have a problem with FORM based auth on Websphere or rather what > > happens afterwards when I a remote object calls a destination. > > > > To give some background: > > The app is splitted in two applications (separate .swf files): > > 1. login screen > > 2. core app > > > > The core app is in protected area. When a user enters valid > > credentials in the login app it i
[flexcoders] Re: Form-based auth on Websphere
A small update: when the first amf request is kicked off the response status is 200 OK but there is a Set-Cookie header set with new session id. Any ideas why it happens? Thanks, Bartek --- In flexcoders@yahoogroups.com, "baardos" <[EMAIL PROTECTED]> wrote: > > Hi Dimitrios, > > I've checked it and the JSESSION cookie's name remains the same and > the path is '/' so theoreticly it should work fine... > > Thanks, > Bartek > > > --- In flexcoders@yahoogroups.com, "Dimitrios Gianninas" > wrote: > > > > Your understanding is correct. My app works that way too... we have: > > > > https://someurl/falcon/login.jsp > > https://someurl/billing/billing.swf > > > > So user logs in and then at some point goes to the billing.swf and > everything works. If you try to access the swf directly all RO calls > fail. This is on Weblogic 8.1SP3. The login page uses j_security_check > as well. So same in your case... one thing to be careful of is that if > your login page and swf are under different contexts then you have to > make sure they have the same cookie name, or it wont work. Is that > your case? > > > > Dimitrios Gianninas > > RIA Developer > > Optimal Payments Inc. > > > > > > > > > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] > On Behalf Of baardos > > Sent: Thursday, December 14, 2006 9:03 AM > > To: flexcoders@yahoogroups.com > > Subject: [flexcoders] Re: Form-based auth on Websphere > > > > > > > > Hi Dimitrios, > > > > Thanks for you anwser. Here I go with explanation. > > 1. I gave it a try and it works however Tomcat does not require this. > > 2. The login SWF could be just a HTML page with a form submitting > > credentials for j_security_check. The idea is to protect the core app > > in web.xml. In that way all resources are prottected: channels and > > the app itself. > > 3. My assumtion is that if a user is athenticated via container it > > should maintain its credentials and should associate them with its > > session. For a workaround in point 1, username and password can be > > stored in a SharedObject and than retrieved in the core app. > > > > It seems to me that when the user submits its credentials to the > > j_security_check they are not propagated to Flex. I've decompiled the > > WebsphereLoginCommand and by debugging it I can see that > > doAuthenticate method is invoked only if the setCredetials method is > > set explicitly. Is it the way it should work? How then Tomcat's > > behaviour should be explained - is it just a side effect? > > > > Cheers, > > Bartek > > > > --- In flexcoders@yahoogroups.com > <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" > > wrote: > > > > > > Things to try: > > > > > > 1) set the remote credentials on the ro in the core app for test to > > see if it works > > > > > > 2) why have two SWFs? > > > > > > 3) the second swf doesnt have a credential info to pass to the > > server and since you locked down the RO it is failing > > > > > > Dimitrios Gianninas > > > RIA Developer > > > Optimal Payments Inc. > > > > > > > > > > > > > > > From: flexcoders@yahoogroups.com > <mailto:flexcoders%40yahoogroups.com> > [mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> ] > > On Behalf Of baardos > > > Sent: Tuesday, December 12, 2006 9:28 AM > > > To: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> > > > Subject: [flexcoders] Form-based auth on Websphere > > > > > > > > > > > > Hi, > > > > > > I have a problem with FORM based auth on Websphere or rather what > > > happens afterwards when I a remote object calls a destination. > > > > > > To give some background: > > > The app is splitted in two applications (separate .swf files): > > > 1. login screen > > > 2. core app > > > > > > The core app is in protected area. When a user enters valid > > > credentials in the login app it is forwarded to the core app. Then > > > when a call to a remote object is made I am getting > > > Client.Authentication error saying "Login required before > > > authorization can proceed". > > > > > > I've noticed that i
[flexcoders] Re: Form-based auth on Websphere
Hi Dimitrios, I've checked it and the JSESSION cookie's name remains the same and the path is '/' so theoreticly it should work fine... Thanks, Bartek --- In flexcoders@yahoogroups.com, "Dimitrios Gianninas" <[EMAIL PROTECTED]> wrote: > > Your understanding is correct. My app works that way too... we have: > > https://someurl/falcon/login.jsp > https://someurl/billing/billing.swf > > So user logs in and then at some point goes to the billing.swf and everything works. If you try to access the swf directly all RO calls fail. This is on Weblogic 8.1SP3. The login page uses j_security_check as well. So same in your case... one thing to be careful of is that if your login page and swf are under different contexts then you have to make sure they have the same cookie name, or it wont work. Is that your case? > > Dimitrios Gianninas > RIA Developer > Optimal Payments Inc. > > > > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of baardos > Sent: Thursday, December 14, 2006 9:03 AM > To: flexcoders@yahoogroups.com > Subject: [flexcoders] Re: Form-based auth on Websphere > > > > Hi Dimitrios, > > Thanks for you anwser. Here I go with explanation. > 1. I gave it a try and it works however Tomcat does not require this. > 2. The login SWF could be just a HTML page with a form submitting > credentials for j_security_check. The idea is to protect the core app > in web.xml. In that way all resources are prottected: channels and > the app itself. > 3. My assumtion is that if a user is athenticated via container it > should maintain its credentials and should associate them with its > session. For a workaround in point 1, username and password can be > stored in a SharedObject and than retrieved in the core app. > > It seems to me that when the user submits its credentials to the > j_security_check they are not propagated to Flex. I've decompiled the > WebsphereLoginCommand and by debugging it I can see that > doAuthenticate method is invoked only if the setCredetials method is > set explicitly. Is it the way it should work? How then Tomcat's > behaviour should be explained - is it just a side effect? > > Cheers, > Bartek > > --- In flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" > wrote: > > > > Things to try: > > > > 1) set the remote credentials on the ro in the core app for test to > see if it works > > > > 2) why have two SWFs? > > > > 3) the second swf doesnt have a credential info to pass to the > server and since you locked down the RO it is failing > > > > Dimitrios Gianninas > > RIA Developer > > Optimal Payments Inc. > > > > > > > > > > From: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> [mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> ] > On Behalf Of baardos > > Sent: Tuesday, December 12, 2006 9:28 AM > > To: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> > > Subject: [flexcoders] Form-based auth on Websphere > > > > > > > > Hi, > > > > I have a problem with FORM based auth on Websphere or rather what > > happens afterwards when I a remote object calls a destination. > > > > To give some background: > > The app is splitted in two applications (separate .swf files): > > 1. login screen > > 2. core app > > > > The core app is in protected area. When a user enters valid > > credentials in the login app it is forwarded to the core app. Then > > when a call to a remote object is made I am getting > > Client.Authentication error saying "Login required before > > authorization can proceed". > > > > I've noticed that if prior to sending a request user credentails are > > set on the remote object (with setUserCredentials method) everything > > works fine, however I think that it should not be necessary since the > > server should maintain the credentials - at least it appers to work > > that way when the app is deployed to Tomcat. > > > > I would be grateful for help. > > > > Best regards, > > Bartek Doszczak > > > > > > > > > > > > -- > > WARNING > > --- > > This electronic message and its attachments may contain > confidential, proprietary or legally privileged information, which is > solely for the use of the intended recipient. No privilege or other > rights are waived by any unin
RE: [flexcoders] Re: Form-based auth on Websphere
Your understanding is correct. My app works that way too... we have: https://someurl/falcon/login.jsp https://someurl/billing/billing.swf So user logs in and then at some point goes to the billing.swf and everything works. If you try to access the swf directly all RO calls fail. This is on Weblogic 8.1SP3. The login page uses j_security_check as well. So same in your case... one thing to be careful of is that if your login page and swf are under different contexts then you have to make sure they have the same cookie name, or it wont work. Is that your case? Dimitrios Gianninas RIA Developer Optimal Payments Inc. From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of baardos Sent: Thursday, December 14, 2006 9:03 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Form-based auth on Websphere Hi Dimitrios, Thanks for you anwser. Here I go with explanation. 1. I gave it a try and it works however Tomcat does not require this. 2. The login SWF could be just a HTML page with a form submitting credentials for j_security_check. The idea is to protect the core app in web.xml. In that way all resources are prottected: channels and the app itself. 3. My assumtion is that if a user is athenticated via container it should maintain its credentials and should associate them with its session. For a workaround in point 1, username and password can be stored in a SharedObject and than retrieved in the core app. It seems to me that when the user submits its credentials to the j_security_check they are not propagated to Flex. I've decompiled the WebsphereLoginCommand and by debugging it I can see that doAuthenticate method is invoked only if the setCredetials method is set explicitly. Is it the way it should work? How then Tomcat's behaviour should be explained - is it just a side effect? Cheers, Bartek --- In flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> , "Dimitrios Gianninas" <[EMAIL PROTECTED]> wrote: > > Things to try: > > 1) set the remote credentials on the ro in the core app for test to see if it works > > 2) why have two SWFs? > > 3) the second swf doesnt have a credential info to pass to the server and since you locked down the RO it is failing > > Dimitrios Gianninas > RIA Developer > Optimal Payments Inc. > > > > > From: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> > [mailto:flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> ] On Behalf Of baardos > Sent: Tuesday, December 12, 2006 9:28 AM > To: flexcoders@yahoogroups.com <mailto:flexcoders%40yahoogroups.com> > Subject: [flexcoders] Form-based auth on Websphere > > > > Hi, > > I have a problem with FORM based auth on Websphere or rather what > happens afterwards when I a remote object calls a destination. > > To give some background: > The app is splitted in two applications (separate .swf files): > 1. login screen > 2. core app > > The core app is in protected area. When a user enters valid > credentials in the login app it is forwarded to the core app. Then > when a call to a remote object is made I am getting > Client.Authentication error saying "Login required before > authorization can proceed". > > I've noticed that if prior to sending a request user credentails are > set on the remote object (with setUserCredentials method) everything > works fine, however I think that it should not be necessary since the > server should maintain the credentials - at least it appers to work > that way when the app is deployed to Tomcat. > > I would be grateful for help. > > Best regards, > Bartek Doszczak > > > > > > -- > WARNING > --- > This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender. > > AVIS IMPORTANT > -- > Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent
[flexcoders] Re: Form-based auth on Websphere
Hi Dimitrios, Thanks for you anwser. Here I go with explanation. 1. I gave it a try and it works however Tomcat does not require this. 2. The login SWF could be just a HTML page with a form submitting credentials for j_security_check. The idea is to protect the core app in web.xml. In that way all resources are prottected: channels and the app itself. 3. My assumtion is that if a user is athenticated via container it should maintain its credentials and should associate them with its session. For a workaround in point 1, username and password can be stored in a SharedObject and than retrieved in the core app. It seems to me that when the user submits its credentials to the j_security_check they are not propagated to Flex. I've decompiled the WebsphereLoginCommand and by debugging it I can see that doAuthenticate method is invoked only if the setCredetials method is set explicitly. Is it the way it should work? How then Tomcat's behaviour should be explained - is it just a side effect? Cheers, Bartek --- In flexcoders@yahoogroups.com, "Dimitrios Gianninas" <[EMAIL PROTECTED]> wrote: > > Things to try: > > 1) set the remote credentials on the ro in the core app for test to see if it works > > 2) why have two SWFs? > > 3) the second swf doesnt have a credential info to pass to the server and since you locked down the RO it is failing > > Dimitrios Gianninas > RIA Developer > Optimal Payments Inc. > > > > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of baardos > Sent: Tuesday, December 12, 2006 9:28 AM > To: flexcoders@yahoogroups.com > Subject: [flexcoders] Form-based auth on Websphere > > > > Hi, > > I have a problem with FORM based auth on Websphere or rather what > happens afterwards when I a remote object calls a destination. > > To give some background: > The app is splitted in two applications (separate .swf files): > 1. login screen > 2. core app > > The core app is in protected area. When a user enters valid > credentials in the login app it is forwarded to the core app. Then > when a call to a remote object is made I am getting > Client.Authentication error saying "Login required before > authorization can proceed". > > I've noticed that if prior to sending a request user credentails are > set on the remote object (with setUserCredentials method) everything > works fine, however I think that it should not be necessary since the > server should maintain the credentials - at least it appers to work > that way when the app is deployed to Tomcat. > > I would be grateful for help. > > Best regards, > Bartek Doszczak > > > > > > -- > WARNING > --- > This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender. > > AVIS IMPORTANT > -- > Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent message a été transmis involontairement ou s'il est retransmis sans son autorisation. Si vous n'êtes pas le destinataire visé du présent message ou si vous l'avez reçu par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi que toutes ses pièces jointes, de votre système. La lecture, la distribution, la copie ou tout autre usage du présent message ou de ses pièces jointes par des personnes autres que le destinataire visé ne sont pas autorisés et pourraient être illégaux. Si vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur. >
