ok, I'm no J2EE expert by any means, but what you are describing sounds way complex. I've had a app I built using LCDS, well FDS first under Flex 1.5then ported to Flex 2 and using LCDS. I used JRun under FDS for Flex 1.5 and Tomcat after porting to use LCDS. In either case I simply used a HTML Form based login that tied directly to the J2EE container, you know FORM based login via web.xml file. I wrote NO login code at all in Flex and only wrote a GetUser method that fetched the user info from a LDAP based solely on the session created during the login process that was fired when the app loaded. LCDS/FDS exposes the J2EE session through a filter, set it on in a xml config file for FDS somewhere, I forget it currently. The app I wrote did not use EJBs at all, but you call these direct from a POJO exposed via RemoteObject, correct? And thus in the same context as any other RemoteObject call. Basically, let the container handle the security. All RemoteObject calls are over HTTP and the browser passes the jsessionid just like a JSP app, eh? Doing this also gives you a single sign on setup for any other app hosted in the same container too. Credit goes to Dave Wolf over at Cynergy for getting this through my head way back when.
DK On 10/13/07, amgoldst <[EMAIL PROTECTED]> wrote: > > Jeff, > > I like your idea of using the FlexSession as it sounds exactly like what > we want to do. Do > you know if it's possible to do something like this: > > 1) User fills in log in form in Flex app > 2) User clicks login button, which calls an EJB to get back a session id > 3) Flex client stores session id in FlexSession > 4) User clicks button that > a) Establishes a JAAS LoginContext with the session id from the > FlexSession > b) Invokes the EJB, having JBoss validate the session id as part of its > built in security via > JAAS > c) When the EJB finishes executing, call logout() on the LoginContext from > a) > > We already have 1 and 2 working just fine right now. > > I'm not sure (since I'm not overly familiar with the FlexSession) if it's > possible to set my > session id in the FlexSession from within ActionScript, or if that's Java > only? If it's Java > only, how would I set it? > > I'm also not sure at what point I would need to establish the > LoginContext. Would it make > the most sense to do that in my EJB factory? Is it guaranteed that every > time I need to > invoke an EJB method that my EJB factory is used to lookup the EJB? > > And, finally, is there a way to tear down (logout) of the LoginContext > after the EJB has been > invoked? > > I guess an alternative to using the LoginContext could be to use JBoss's > JndiLoginInitialContextFactory, if EJBs are looked up for every remote > call and there's no > way to tear down the LoginContext. I believe (but am not sure) that this > context factory > associates my security info (session id) for the EJB when I look it up, > but does not keep it > sticky on the thread. And since an EJB would be looked up "fresh" each > time it is used, and > then thrown out, this could potentially work. > > I really appreciate your help, as I'm kinda stuck at the moment :-) > > Thanks, > Andy > > --- In flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com>, "Jeff > Vroom" <[EMAIL PROTECTED]> wrote: > > > > Hi Andy, > > > > > > > > I'm not sure why JBoss would be running the EJB in another thread but I > > don't think it is guaranteed to run in the same thread in any case. > > Often EJB invocations are remote, not simple method calls. > > > > > > > > It seems to me that you really want to be storing your authentication in > > the FlexSession (i.e. FlexContext.getFlexSession()). The thread will > > not be consistent for the same user/client, but the session will be > > consistent. For RTMP, there is one FlexSession for each RTMP > > connection. The EJB's probably don't have visibility into the > > FlexSession but you can pull any info you store there out, validate the > > identity of the user, then as necessary forward any info from that onto > > the EJB call. > > > > > > > > I'm not sure why the login would be called more than once... maybe if > > you turn on the server debug logging for the "Message.*" pattern in > > services-config.xml we can tell what is going on. > > > > > > > > Jeff > > > > > > > > ________________________________ > > > > From: flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com> [mailto: > flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com>] On > > Behalf Of amgoldst > > Sent: Friday, October 12, 2007 12:59 PM > > To: flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com> > > Subject: [flexcoders] Re: Flex, LiveCycle Data Services, EJB, & JAAS > > problems > > > > > > > > Jeff, > > > > Thanks for your input! > > > > I've managed to get a LoginCommand implementation somewhat working... > > but in debugging it I've noticed that sometimes the LoginCommand is > > used in one RTMP worker thread, and my EJB invocation occurs in a > > different thread (JBoss 4.0.5.GA). (Also, sometimes the LoginCommand > > is used twice for no apparent reason before continuing on to my EJB.) > > We're using RTMP only and AIR only - no web applications. > > > > If I use LoginContext.login() in my custom LCDS LoginCommand, afaik > > the Subject that is established by the LoginContext will remain as the > > Subject for the current thread until LoginContext.logout() is called. > > I'm not sure that this is so, but if it is, then I don't believe my > > custom LoginCommand will support multiple clients, as there is no > > guarantee that a particular client will always use the same RTMP > > worker thread. > > > > Any thoughts? > > > > Thanks, > > Andy > > > > --- In flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com><mailto: > flexcoders% <flexcoders%25>40yahoogroups.com> > > , "Jeff Vroom" <jvroom@> wrote: > > > > > > I think that this should work fine. The LoginCommand methods are > > > invoked from the request handling thread. If you are using HTTP > > > channels, it is in the context of a servlet invocation so calling an > > EJB > > > should be no problem. For the RTMP channels, LC DS does create its own > > > thread to handle the requests but use app server specific techniques > > to > > > ensure that this thread is managed by the JEE container. I don't think > > > you'd have any problems calling an EJB in that context either. > > > > > > > > > > > > I don't know why you'd end up with session id collisions... each web > > > application in JEE does get its own copy of the session state so you > > do > > > need to be careful if you have more than one web application and if > > you > > > store any authorization information in the session. > > > > > > > > > > > > Jeff > > > > > > > > > > > > ________________________________ > > > > > > From: flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com><mailto: > flexcoders% <flexcoders%25>40yahoogroups.com> > > [mailto:flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com><mailto: > flexcoders% <flexcoders%25>40yahoogroups.com> > > ] On > > > Behalf Of amgoldst > > > Sent: Thursday, October 11, 2007 3:39 PM > > > To: flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com> <mailto: > flexcoders% <flexcoders%25>40yahoogroups.com> > > > Subject: [flexcoders] Flex, LiveCycle Data Services, EJB, & JAAS > > > problems > > > > > > > > > > > > We're trying to integrate our AIR application with LCDS, EJBs, and > > > JAAS for security. We first call an EJB to log in to the system and > > > get a session ID, which works just fine. For all subsequent EJB > > > calls, we'd like to set the session id (either using setCredentials() > > > or setRemoteCredentials()) and then use JAAS for security in front of > > > the EJBs to make sure the session ID is valid (via JOSSO for single > > > sign on). What is the best way to do this - we haven't had any luck > > > so far? > > > > > > I've looked at using a custom LoginCommand and also modifying the Flex > > > EJB Factory (from the Flex Exchange) to set up the LoginContext for > > > JAAS before the EJB is actually invoked. I'm not sure if the > > > LoginCommand approach will work because it appears that the > > > LoginCommand's authenticate() method is invoked in a different thread > > > than the EJB, and I'm concerned about session ID collisions when > > > multiple clients are accessing LCDS simultaneously. > > > > > > Does anyone have any experience with this? > > > > > > Thanks in advance, > > > Andy > > > > > > > > -- Douglas Knudsen http://www.cubicleman.com this is my signature, like it?
