RE: [flexcoders] Re: RTMP and Spring Security(Acegi) Issues - SOLVED
In the case of RTMP, the doAuthentication() hook of your LoginCommand runs when the client invokes ChannelSet.login(...) or as a result of invoking the legacy setCredentials() method on service components. The advantage of using ChannelSet.login() is that it gives you back a token for the call that you can register a responder with. setCredentials() may or may not even make a login call, depending on whether the client is connected, and when the login happens there's no good way to handle faults. If doAuthentication() is successful the returned Principal is cached in the FlexSession. Because RTMP connections are long-lived and stateful, this will only happen once. After that, any client interaction with a destination secured with a security constraint will trigger a call to doAuthentication() - you get the cached Principal and the list of roles to test for membership in. So this hook will likely be called many times. If you security system depends on any extra context, say in thread locals, your login command would need to manage that properly. Seth From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Geoffrey Sent: Monday, August 25, 2008 4:00 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: RTMP and Spring Security(Acegi) Issues - SOLVED I was wondering if anyone knows exactly when the AcegiLoginCommand class gets processes. Does it get processed once when you create a DataService object, or does it get processed every time an RTMP request is made? --- In flexcoders@yahoogroups.commailto:flexcoders%40yahoogroups.com, Geoffrey [EMAIL PROTECTED] wrote: One last thing I had to do to get it to work. I added -Dacegi.security.strategy=MODE_INHERITABLETHREADLOCAL to my Tomcat JVM arguments. Otherwise, setting and getting the Authentication object was accessing different instances of some security object. ~Geoff --- In flexcoders@yahoogroups.commailto:flexcoders%40yahoogroups.com, Geoffrey gtb104@ wrote: I seem to have got it working. Thanks for your help jahhaj12345! What I ended up doing was to create a custom LoginCommand class. I used the one from here: http://blog.f4k3.net/fake/entry/acegi_logincommand_for_fds. I made two changes shown below: //The name of our Acegi configuration file. private static String[] CONFIG_LOCATIONS = {classpath:security-context.xml}; //ldapAuthenticationProvider is from our Acegi config file, and it the name of the bean that is used for authentication via LDAP. authenticationProvider = (AuthenticationProvider)applicationContext.getBean(ldapAuthenticationProvider); I then updated services-config.xml and added: security login-command class=com.gdais.security.AcegiLoginCommand server=Tomcat/ security-constraint id=basic-read-access auth-methodBasic/auth-method roles roleROLE_MANAGERS/role roleROLE_USERS/role /roles /security-constraint /security //The roles came from the Acegi config file. After that, I had to add the [managed] metadata tag to one of my ValueObjects and it all seemed to work. I'll be honest, I don't really understand why this works, it just does. What I mean by 'works' is that the managed collection on the client gets filled with data successfully. I haven't yet tested pushing new entries to that managed collection after the initial fill. I hope this post helps someone else. ~Geoff --- In flexcoders@yahoogroups.commailto:flexcoders%40yahoogroups.com, jahhaj12345 halvorsonj@ wrote: I don't know of a way to just authenticate the client. From everything I've read, you have to authenticate the HTTP and RTMP sessions individually. For my application, I had to create my own LoginCommand to handle the flex RTMP authentication. Here's my understanding of how it's working for me: 1. On my client, I get the channelset to use and then call channelSet.login(username, password). You could also call the setCredentials on the actual DataService the same way, but my services are all created at runtime on the server instead of being statically defined in services-config.xml. 2. That channelSet (or dataservice) from above authenticates through the login-command configured in services-config.xml. This is where the custom LoginCommand I created is configured. The doAuthentication function of LoginCommand is as follows: public Principal doAuthentication(String username, Object credentials) { Authentication auth = authenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(username, credentials)); // authenticationProvider is a spring security DaoAuthenticationProvider SecurityContextHolder.getContext().setAuthentication(auth); return auth; } This should authenticate the RTMP session. I don't know if this is the best way, but it seems to work. --- In flexcoders@yahoogroups.commailto:flexcoders
RE: [flexcoders] Re: RTMP and Spring Security(Acegi) Issues - SOLVED
Make that: After that, any client interaction with a destination secured with a security constraint will trigger a call to doAuthorization() Seth From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Seth Hodgson Sent: Tuesday, August 26, 2008 10:18 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: RTMP and Spring Security(Acegi) Issues - SOLVED In the case of RTMP, the doAuthentication() hook of your LoginCommand runs when the client invokes ChannelSet.login(...) or as a result of invoking the legacy setCredentials() method on service components. The advantage of using ChannelSet.login() is that it gives you back a token for the call that you can register a responder with. setCredentials() may or may not even make a login call, depending on whether the client is connected, and when the login happens there's no good way to handle faults. If doAuthentication() is successful the returned Principal is cached in the FlexSession. Because RTMP connections are long-lived and stateful, this will only happen once. After that, any client interaction with a destination secured with a security constraint will trigger a call to doAuthentication() - you get the cached Principal and the list of roles to test for membership in. So this hook will likely be called many times. If you security system depends on any extra context, say in thread locals, your login command would need to manage that properly. Seth From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Geoffrey Sent: Monday, August 25, 2008 4:00 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: RTMP and Spring Security(Acegi) Issues - SOLVED I was wondering if anyone knows exactly when the AcegiLoginCommand class gets processes. Does it get processed once when you create a DataService object, or does it get processed every time an RTMP request is made? --- In flexcoders@yahoogroups.commailto:flexcoders%40yahoogroups.com, Geoffrey [EMAIL PROTECTED] wrote: One last thing I had to do to get it to work. I added -Dacegi.security.strategy=MODE_INHERITABLETHREADLOCAL to my Tomcat JVM arguments. Otherwise, setting and getting the Authentication object was accessing different instances of some security object. ~Geoff --- In flexcoders@yahoogroups.commailto:flexcoders%40yahoogroups.com, Geoffrey gtb104@ wrote: I seem to have got it working. Thanks for your help jahhaj12345! What I ended up doing was to create a custom LoginCommand class. I used the one from here: http://blog.f4k3.net/fake/entry/acegi_logincommand_for_fds. I made two changes shown below: //The name of our Acegi configuration file. private static String[] CONFIG_LOCATIONS = {classpath:security-context.xml}; //ldapAuthenticationProvider is from our Acegi config file, and it the name of the bean that is used for authentication via LDAP. authenticationProvider = (AuthenticationProvider)applicationContext.getBean(ldapAuthenticationProvider); I then updated services-config.xml and added: security login-command class=com.gdais.security.AcegiLoginCommand server=Tomcat/ security-constraint id=basic-read-access auth-methodBasic/auth-method roles roleROLE_MANAGERS/role roleROLE_USERS/role /roles /security-constraint /security //The roles came from the Acegi config file. After that, I had to add the [managed] metadata tag to one of my ValueObjects and it all seemed to work. I'll be honest, I don't really understand why this works, it just does. What I mean by 'works' is that the managed collection on the client gets filled with data successfully. I haven't yet tested pushing new entries to that managed collection after the initial fill. I hope this post helps someone else. ~Geoff --- In flexcoders@yahoogroups.commailto:flexcoders%40yahoogroups.com, jahhaj12345 halvorsonj@ wrote: I don't know of a way to just authenticate the client. From everything I've read, you have to authenticate the HTTP and RTMP sessions individually. For my application, I had to create my own LoginCommand to handle the flex RTMP authentication. Here's my understanding of how it's working for me: 1. On my client, I get the channelset to use and then call channelSet.login(username, password). You could also call the setCredentials on the actual DataService the same way, but my services are all created at runtime on the server instead of being statically defined in services-config.xml. 2. That channelSet (or dataservice) from above authenticates through the login-command configured in services-config.xml. This is where the custom LoginCommand I created is configured. The doAuthentication function of LoginCommand is as follows: public Principal doAuthentication(String username, Object credentials) { Authentication auth = authenticationProvider.authenticate(new
[flexcoders] Re: RTMP and Spring Security(Acegi) Issues - SOLVED
I was wondering if anyone knows exactly when the AcegiLoginCommand class gets processes. Does it get processed once when you create a DataService object, or does it get processed every time an RTMP request is made? --- In flexcoders@yahoogroups.com, Geoffrey [EMAIL PROTECTED] wrote: One last thing I had to do to get it to work. I added -Dacegi.security.strategy=MODE_INHERITABLETHREADLOCAL to my Tomcat JVM arguments. Otherwise, setting and getting the Authentication object was accessing different instances of some security object. ~Geoff --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I seem to have got it working. Thanks for your help jahhaj12345! What I ended up doing was to create a custom LoginCommand class. I used the one from here: http://blog.f4k3.net/fake/entry/acegi_logincommand_for_fds. I made two changes shown below: //The name of our Acegi configuration file. private static String[] CONFIG_LOCATIONS = {classpath:security-context.xml}; //ldapAuthenticationProvider is from our Acegi config file, and it the name of the bean that is used for authentication via LDAP. authenticationProvider = (AuthenticationProvider)applicationContext.getBean(ldapAuthenticationProvider); I then updated services-config.xml and added: security login-command class=com.gdais.security.AcegiLoginCommand server=Tomcat/ security-constraint id=basic-read-access auth-methodBasic/auth-method roles roleROLE_MANAGERS/role roleROLE_USERS/role /roles /security-constraint /security //The roles came from the Acegi config file. After that, I had to add the [managed] metadata tag to one of my ValueObjects and it all seemed to work. I'll be honest, I don't really understand why this works, it just does. What I mean by 'works' is that the managed collection on the client gets filled with data successfully. I haven't yet tested pushing new entries to that managed collection after the initial fill. I hope this post helps someone else. ~Geoff --- In flexcoders@yahoogroups.com, jahhaj12345 halvorsonj@ wrote: I don't know of a way to just authenticate the client. From everything I've read, you have to authenticate the HTTP and RTMP sessions individually. For my application, I had to create my own LoginCommand to handle the flex RTMP authentication. Here's my understanding of how it's working for me: 1. On my client, I get the channelset to use and then call channelSet.login(username, password). You could also call the setCredentials on the actual DataService the same way, but my services are all created at runtime on the server instead of being statically defined in services-config.xml. 2. That channelSet (or dataservice) from above authenticates through the login-command configured in services-config.xml. This is where the custom LoginCommand I created is configured. The doAuthentication function of LoginCommand is as follows: public Principal doAuthentication(String username, Object credentials) { Authentication auth = authenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(username, credentials)); // authenticationProvider is a spring security DaoAuthenticationProvider SecurityContextHolder.getContext().setAuthentication(auth); return auth; } This should authenticate the RTMP session. I don't know if this is the best way, but it seems to work. --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I'm guessing that we don't implement security the correct way (or the best way) right now. Currently, I have a login State that takes the username and password and makes an HTTPService call to the JSP page that does user authentication. If that comes back successfully, then I change State to the main application. That seems to take care of all of the HTTP requests, but the RTMP requests obviously fail (or else I wouldn't be here ;-)). I read the docs about using LoginCommand, but I didn't see how that ties into Acegi. I'm wondering if you can authenticate the Flex client, and not just the session. If so, wouldn't the sessions (HTTP and RTMP) also be authenticated since they fall under the FlexClient object? Just a thought. Geoff --- In flexcoders@yahoogroups.com, jahhaj12345 halvorsonj@ wrote: I'm having the same problems you are. I've been through several options but haven't found one that's acceptable from a security point of view if you are trying to use the rememberme functionality. To get it working without rememberme, provide a login form from your flex application and once authenticated using form login, use that username/password
[flexcoders] Re: RTMP and Spring Security(Acegi) Issues - SOLVED
One last thing I had to do to get it to work. I added -Dacegi.security.strategy=MODE_INHERITABLETHREADLOCAL to my Tomcat JVM arguments. Otherwise, setting and getting the Authentication object was accessing different instances of some security object. ~Geoff --- In flexcoders@yahoogroups.com, Geoffrey [EMAIL PROTECTED] wrote: I seem to have got it working. Thanks for your help jahhaj12345! What I ended up doing was to create a custom LoginCommand class. I used the one from here: http://blog.f4k3.net/fake/entry/acegi_logincommand_for_fds. I made two changes shown below: //The name of our Acegi configuration file. private static String[] CONFIG_LOCATIONS = {classpath:security-context.xml}; //ldapAuthenticationProvider is from our Acegi config file, and it the name of the bean that is used for authentication via LDAP. authenticationProvider = (AuthenticationProvider)applicationContext.getBean(ldapAuthenticationProvider); I then updated services-config.xml and added: security login-command class=com.gdais.security.AcegiLoginCommand server=Tomcat/ security-constraint id=basic-read-access auth-methodBasic/auth-method roles roleROLE_MANAGERS/role roleROLE_USERS/role /roles /security-constraint /security //The roles came from the Acegi config file. After that, I had to add the [managed] metadata tag to one of my ValueObjects and it all seemed to work. I'll be honest, I don't really understand why this works, it just does. What I mean by 'works' is that the managed collection on the client gets filled with data successfully. I haven't yet tested pushing new entries to that managed collection after the initial fill. I hope this post helps someone else. ~Geoff --- In flexcoders@yahoogroups.com, jahhaj12345 halvorsonj@ wrote: I don't know of a way to just authenticate the client. From everything I've read, you have to authenticate the HTTP and RTMP sessions individually. For my application, I had to create my own LoginCommand to handle the flex RTMP authentication. Here's my understanding of how it's working for me: 1. On my client, I get the channelset to use and then call channelSet.login(username, password). You could also call the setCredentials on the actual DataService the same way, but my services are all created at runtime on the server instead of being statically defined in services-config.xml. 2. That channelSet (or dataservice) from above authenticates through the login-command configured in services-config.xml. This is where the custom LoginCommand I created is configured. The doAuthentication function of LoginCommand is as follows: public Principal doAuthentication(String username, Object credentials) { Authentication auth = authenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(username, credentials)); // authenticationProvider is a spring security DaoAuthenticationProvider SecurityContextHolder.getContext().setAuthentication(auth); return auth; } This should authenticate the RTMP session. I don't know if this is the best way, but it seems to work. --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I'm guessing that we don't implement security the correct way (or the best way) right now. Currently, I have a login State that takes the username and password and makes an HTTPService call to the JSP page that does user authentication. If that comes back successfully, then I change State to the main application. That seems to take care of all of the HTTP requests, but the RTMP requests obviously fail (or else I wouldn't be here ;-)). I read the docs about using LoginCommand, but I didn't see how that ties into Acegi. I'm wondering if you can authenticate the Flex client, and not just the session. If so, wouldn't the sessions (HTTP and RTMP) also be authenticated since they fall under the FlexClient object? Just a thought. Geoff --- In flexcoders@yahoogroups.com, jahhaj12345 halvorsonj@ wrote: I'm having the same problems you are. I've been through several options but haven't found one that's acceptable from a security point of view if you are trying to use the rememberme functionality. To get it working without rememberme, provide a login form from your flex application and once authenticated using form login, use that username/password combination for the RTMP's ChannelSet login. And depending on how you handle authentication on your end, you may need to provide your own LoginCommand and UserDetailsService. I've done both of these and it works. Does anyone out there have a way to get rememberme working for RTMP? I know the problem is cause by the RTMPFlexSession being outside the HTTPSession. Is there anyway to
[flexcoders] Re: RTMP and Spring Security(Acegi) Issues - SOLVED
I seem to have got it working. Thanks for your help jahhaj12345! What I ended up doing was to create a custom LoginCommand class. I used the one from here: http://blog.f4k3.net/fake/entry/acegi_logincommand_for_fds. I made two changes shown below: //The name of our Acegi configuration file. private static String[] CONFIG_LOCATIONS = {classpath:security-context.xml}; //ldapAuthenticationProvider is from our Acegi config file, and it the name of the bean that is used for authentication via LDAP. authenticationProvider = (AuthenticationProvider)applicationContext.getBean(ldapAuthenticationProvider); I then updated services-config.xml and added: security login-command class=com.gdais.security.AcegiLoginCommand server=Tomcat/ security-constraint id=basic-read-access auth-methodBasic/auth-method roles roleROLE_MANAGERS/role roleROLE_USERS/role /roles /security-constraint /security //The roles came from the Acegi config file. After that, I had to add the [managed] metadata tag to one of my ValueObjects and it all seemed to work. I'll be honest, I don't really understand why this works, it just does. What I mean by 'works' is that the managed collection on the client gets filled with data successfully. I haven't yet tested pushing new entries to that managed collection after the initial fill. I hope this post helps someone else. ~Geoff --- In flexcoders@yahoogroups.com, jahhaj12345 [EMAIL PROTECTED] wrote: I don't know of a way to just authenticate the client. From everything I've read, you have to authenticate the HTTP and RTMP sessions individually. For my application, I had to create my own LoginCommand to handle the flex RTMP authentication. Here's my understanding of how it's working for me: 1. On my client, I get the channelset to use and then call channelSet.login(username, password). You could also call the setCredentials on the actual DataService the same way, but my services are all created at runtime on the server instead of being statically defined in services-config.xml. 2. That channelSet (or dataservice) from above authenticates through the login-command configured in services-config.xml. This is where the custom LoginCommand I created is configured. The doAuthentication function of LoginCommand is as follows: public Principal doAuthentication(String username, Object credentials) { Authentication auth = authenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(username, credentials)); // authenticationProvider is a spring security DaoAuthenticationProvider SecurityContextHolder.getContext().setAuthentication(auth); return auth; } This should authenticate the RTMP session. I don't know if this is the best way, but it seems to work. --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I'm guessing that we don't implement security the correct way (or the best way) right now. Currently, I have a login State that takes the username and password and makes an HTTPService call to the JSP page that does user authentication. If that comes back successfully, then I change State to the main application. That seems to take care of all of the HTTP requests, but the RTMP requests obviously fail (or else I wouldn't be here ;-)). I read the docs about using LoginCommand, but I didn't see how that ties into Acegi. I'm wondering if you can authenticate the Flex client, and not just the session. If so, wouldn't the sessions (HTTP and RTMP) also be authenticated since they fall under the FlexClient object? Just a thought. Geoff --- In flexcoders@yahoogroups.com, jahhaj12345 halvorsonj@ wrote: I'm having the same problems you are. I've been through several options but haven't found one that's acceptable from a security point of view if you are trying to use the rememberme functionality. To get it working without rememberme, provide a login form from your flex application and once authenticated using form login, use that username/password combination for the RTMP's ChannelSet login. And depending on how you handle authentication on your end, you may need to provide your own LoginCommand and UserDetailsService. I've done both of these and it works. Does anyone out there have a way to get rememberme working for RTMP? I know the problem is cause by the RTMPFlexSession being outside the HTTPSession. Is there anyway to sync these up? Or is there anyway to do a single sign-on with RTMP? Jason --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I've looked around the net and haven't found anything helpful. Any suggestions would be great. Thanks, Geoff --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I'm wondering if anyone out there has implemented LiveCycle Data Services
[flexcoders] Re: RTMP and Spring Security(Acegi) Issues
I'm having the same problems you are. I've been through several options but haven't found one that's acceptable from a security point of view if you are trying to use the rememberme functionality. To get it working without rememberme, provide a login form from your flex application and once authenticated using form login, use that username/password combination for the RTMP's ChannelSet login. And depending on how you handle authentication on your end, you may need to provide your own LoginCommand and UserDetailsService. I've done both of these and it works. Does anyone out there have a way to get rememberme working for RTMP? I know the problem is cause by the RTMPFlexSession being outside the HTTPSession. Is there anyway to sync these up? Or is there anyway to do a single sign-on with RTMP? Jason --- In flexcoders@yahoogroups.com, Geoffrey [EMAIL PROTECTED] wrote: I've looked around the net and haven't found anything helpful. Any suggestions would be great. Thanks, Geoff --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I'm wondering if anyone out there has implemented LiveCycle Data Services using Spring Security as their security layer? I'm having issues with RTMP communications between server/client, meaning I'm not getting any. I've modified our existing Java delegate to ast as the Assembler for a managed collection. When the Assembler's fill() method gets called, it tries to retrieve the desired information from our Service class. I get an AuthenticationCredentialsNotFoundException as seen below: error snippet org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecuri tyInterceptor.java:339) at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityIn terceptor.java:254) at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodS ecurityInterceptor.java:63) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMetho dInvocation.java:161) at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercep t(Cglib2AopProxy.java:630) ... /error snippet I think it's because the HTTPFlexSession is authenticated, but the RTMPFlexSession operates outside the context. I don't know how to make it authenticated, or to authenticate the client so that all sessions have valid credentials. Any suggestions would be appreciated. ~Geoff
[flexcoders] Re: RTMP and Spring Security(Acegi) Issues
I'm guessing that we don't implement security the correct way (or the best way) right now. Currently, I have a login State that takes the username and password and makes an HTTPService call to the JSP page that does user authentication. If that comes back successfully, then I change State to the main application. That seems to take care of all of the HTTP requests, but the RTMP requests obviously fail (or else I wouldn't be here ;-)). I read the docs about using LoginCommand, but I didn't see how that ties into Acegi. I'm wondering if you can authenticate the Flex client, and not just the session. If so, wouldn't the sessions (HTTP and RTMP) also be authenticated since they fall under the FlexClient object? Just a thought. Geoff --- In flexcoders@yahoogroups.com, jahhaj12345 [EMAIL PROTECTED] wrote: I'm having the same problems you are. I've been through several options but haven't found one that's acceptable from a security point of view if you are trying to use the rememberme functionality. To get it working without rememberme, provide a login form from your flex application and once authenticated using form login, use that username/password combination for the RTMP's ChannelSet login. And depending on how you handle authentication on your end, you may need to provide your own LoginCommand and UserDetailsService. I've done both of these and it works. Does anyone out there have a way to get rememberme working for RTMP? I know the problem is cause by the RTMPFlexSession being outside the HTTPSession. Is there anyway to sync these up? Or is there anyway to do a single sign-on with RTMP? Jason --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I've looked around the net and haven't found anything helpful. Any suggestions would be great. Thanks, Geoff --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I'm wondering if anyone out there has implemented LiveCycle Data Services using Spring Security as their security layer? I'm having issues with RTMP communications between server/client, meaning I'm not getting any. I've modified our existing Java delegate to ast as the Assembler for a managed collection. When the Assembler's fill() method gets called, it tries to retrieve the desired information from our Service class. I get an AuthenticationCredentialsNotFoundException as seen below: error snippet org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecuri tyInterceptor.java:339) at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityIn terceptor.java:254) at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodS ecurityInterceptor.java:63) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMetho dInvocation.java:161) at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercep t(Cglib2AopProxy.java:630) ... /error snippet I think it's because the HTTPFlexSession is authenticated, but the RTMPFlexSession operates outside the context. I don't know how to make it authenticated, or to authenticate the client so that all sessions have valid credentials. Any suggestions would be appreciated. ~Geoff
[flexcoders] Re: RTMP and Spring Security(Acegi) Issues
I don't know of a way to just authenticate the client. From everything I've read, you have to authenticate the HTTP and RTMP sessions individually. For my application, I had to create my own LoginCommand to handle the flex RTMP authentication. Here's my understanding of how it's working for me: 1. On my client, I get the channelset to use and then call channelSet.login(username, password). You could also call the setCredentials on the actual DataService the same way, but my services are all created at runtime on the server instead of being statically defined in services-config.xml. 2. That channelSet (or dataservice) from above authenticates through the login-command configured in services-config.xml. This is where the custom LoginCommand I created is configured. The doAuthentication function of LoginCommand is as follows: public Principal doAuthentication(String username, Object credentials) { Authentication auth = authenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(username, credentials)); // authenticationProvider is a spring security DaoAuthenticationProvider SecurityContextHolder.getContext().setAuthentication(auth); return auth; } This should authenticate the RTMP session. I don't know if this is the best way, but it seems to work. --- In flexcoders@yahoogroups.com, Geoffrey [EMAIL PROTECTED] wrote: I'm guessing that we don't implement security the correct way (or the best way) right now. Currently, I have a login State that takes the username and password and makes an HTTPService call to the JSP page that does user authentication. If that comes back successfully, then I change State to the main application. That seems to take care of all of the HTTP requests, but the RTMP requests obviously fail (or else I wouldn't be here ;-)). I read the docs about using LoginCommand, but I didn't see how that ties into Acegi. I'm wondering if you can authenticate the Flex client, and not just the session. If so, wouldn't the sessions (HTTP and RTMP) also be authenticated since they fall under the FlexClient object? Just a thought. Geoff --- In flexcoders@yahoogroups.com, jahhaj12345 halvorsonj@ wrote: I'm having the same problems you are. I've been through several options but haven't found one that's acceptable from a security point of view if you are trying to use the rememberme functionality. To get it working without rememberme, provide a login form from your flex application and once authenticated using form login, use that username/password combination for the RTMP's ChannelSet login. And depending on how you handle authentication on your end, you may need to provide your own LoginCommand and UserDetailsService. I've done both of these and it works. Does anyone out there have a way to get rememberme working for RTMP? I know the problem is cause by the RTMPFlexSession being outside the HTTPSession. Is there anyway to sync these up? Or is there anyway to do a single sign-on with RTMP? Jason --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I've looked around the net and haven't found anything helpful. Any suggestions would be great. Thanks, Geoff --- In flexcoders@yahoogroups.com, Geoffrey gtb104@ wrote: I'm wondering if anyone out there has implemented LiveCycle Data Services using Spring Security as their security layer? I'm having issues with RTMP communications between server/client, meaning I'm not getting any. I've modified our existing Java delegate to ast as the Assembler for a managed collection. When the Assembler's fill() method gets called, it tries to retrieve the desired information from our Service class. I get an AuthenticationCredentialsNotFoundException as seen below: error snippet org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFo\ und(AbstractSecuri tyInterceptor.java:339) at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation\ (AbstractSecurityIn terceptor.java:254) at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor\ .invoke(MethodS ecurityInterceptor.java:63) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Ref\ lectiveMetho dInvocation.java:161) at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedIntercept\ or.intercep t(Cglib2AopProxy.java:630) ... /error snippet I think it's because the HTTPFlexSession is authenticated, but the RTMPFlexSession operates outside the context. I don't know how to make it authenticated, or to authenticate the client so that all sessions have valid credentials. Any
[flexcoders] Re: RTMP and Spring Security(Acegi) Issues
I've looked around the net and haven't found anything helpful. Any suggestions would be great. Thanks, Geoff --- In flexcoders@yahoogroups.com, Geoffrey [EMAIL PROTECTED] wrote: I'm wondering if anyone out there has implemented LiveCycle Data Services using Spring Security as their security layer? I'm having issues with RTMP communications between server/client, meaning I'm not getting any. I've modified our existing Java delegate to ast as the Assembler for a managed collection. When the Assembler's fill() method gets called, it tries to retrieve the desired information from our Service class. I get an AuthenticationCredentialsNotFoundException as seen below: error snippet org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecuri tyInterceptor.java:339) at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityIn terceptor.java:254) at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodS ecurityInterceptor.java:63) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMetho dInvocation.java:161) at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercep t(Cglib2AopProxy.java:630) ... /error snippet I think it's because the HTTPFlexSession is authenticated, but the RTMPFlexSession operates outside the context. I don't know how to make it authenticated, or to authenticate the client so that all sessions have valid credentials. Any suggestions would be appreciated. ~Geoff