Skip navigation
Currently Being Moderated

Authentication works but not Authorization with Custom Tomcat Login

Nov 28, 2011 11:25 AM

Hello,

I am following the steps mentioned in LCDS guide on setting up Tomcat (6.0.33) login. The configuration file details are mentioned below... Based on that, my observation is that the user "tomcat" and "rupak" can login successfully. However the remotingService called AdminControlService has security constraint of trustedAdmin and the user rupak or tomcat dont have the roles of twsadmin but the login is successful on amfChannel for these users while I expect it to fail because of the security constraint of trustedAdmin associated with it.. The security constraint trustedAdmin only defines roles for twsadmin so ideally any user that does not have this role should fail login. What am I missing?

 

thanks

Rupak

 

 

 

tomcat-users.xml

 

<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="twsadmin"/>
  <role rolename="twsuser"/>


  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
  <user username="rupak" password="pwd123" roles="twsuser"/>

</tomcat-users>

 

 

services-config.xml

 

<services-config>
    <security>
       <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>       
       
        <security-constraint id="trustedAdmin">
            <auth-method>Custom</auth-method>
            <roles>
                <role>twsadmin</role>
            </roles>
        </security-constraint>       

 

        <security-constraint id="trustedUser">
            <auth-method>Custom</auth-method>
            <roles>
                <role>twsuser</role>
            </roles>
        </security-constraint>       
       
    </security>

    <services>
        <service id="AdvancedMessagingSupport" class="flex.messaging.services.AdvancedMessagingSupport">
            <default-security-constraint ref="trustedUser"/>
        </service>

        <service-include file-path="remoting-config.xml" />
        <service-include file-path="proxy-config.xml" />
        <service-include file-path="messaging-config.xml" />
        <service-include file-path="data-management-config.xml" />
        <service class="fiber.data.services.ModelDeploymentService" id="model-deploy-service">
            <!--default-security-constraint ref="trustedUser"/-->
        </service>
        
        <default-channels>
           <channel ref="my-rtmp"/>
        </default-channels>

    </services>

...

...

</services-config>

 

 

remoting-config.xml

 

<service id="remoting-service"
    class="flex.messaging.services.RemotingService">

    <adapters>
        <adapter-definition id="java-object" class="flex.messaging.services.remoting.adapters.JavaAdapter" default="true"/>
    </adapters>

 

    <default-channels>
        <channel ref="my-amf"/>
    </default-channels>

 

    <destination id="AdminControlService">
        <properties>
            <source>com.foo.myClassName</source>
            <scope>application</scope>
        </properties>
        <security>
            <security-constraint ref="trustedAdmin"/>
        </security>
    </destination>

</service>

 

 

mxml & ActionScript

 

<fx:Declarations>

  <s:RemoteObject id="adminService"

      destination="AdminControlService"

      requestTimeout="0"

      fault="adminFaultHandler(event)"

     result="adminResultHandler(event)">

  </s:RemoteObject>

 

####</fx:Declarations>

 

.....

......

 

RTMPURL=http://<ip>:<RTMPport>

AMFURL = http://<ip>:<HTTPport>/MyServer/messagebroker/amf

rtmpChannel.addChannel(new RTMPChannel"CustomRTMP", RTMPURL));

amfChannel.addChannel(new  AMFChannel("myCustomAMF",AMFURL))

adminService.channelSet = amfChannel;

 

...

...

private function login(username:String, password:String):void
{
    //login to RTMP channel
    if(rtmpChannel.authenticated == false){
     token = rtmpChannel.login(username, password);    
     token.addResponder(new AsyncResponder(RTMPLoginResultEvent, RTMPLoginFaultEvent));
   }

 

  if (amfChannel.authenticated == false)

  {

    tokenAMF = amfChannel.login(username, password);

    tokenAMF.addResponder(new AsyncResponder(AMFLoginResultEvent, AMFLoginFaultEvent));

  }

}

 
Replies
  • Currently Being Moderated
    Nov 28, 2011 1:50 PM   in reply to RupakKhurana

    Hi Rupak,

     

    Logging using a channelset (in your case, "rtmpChannel" / "amfChannel"), the user is simply authenticated using the registered Login Command. The actual user authorization check is not done until the actual call to the destination is made. Even though you have assigned the channelset to the remote object, the ChannelSet.login does not use the associated remoting destination. Only when you actually invoke the actual remoting destination, will the actual user authorization be done.

     

    Quoting from documentation at http://help.adobe.com/en_US/LiveCycleDataServicesES/3.1/Developing/WSc 3ff6d0ea77859461172e0811f00f7045b-7f36Update.html:

    When a FlexClient tries to log in, LoginCommand.doAuthentication() is called and returns a Principal that is set on the FlexSession object for subsequent requests. Next, as a Flex client tries to call the destination, LoginCommand.doAuthorization is called for each request.

     

    Hope that helps.

     

    Rohit

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 29, 2011 1:22 PM   in reply to RupakKhurana

    Hi Rupak.    

     

    Firstly, from your response above, it seems like the original problem (of not carrying out authorization during login) described in the post has been answered/addressed.

     

    As regards the new problem of getting duplicate session issue, there could be multiple reasons why could this happen. Most of them are:

     

    1. Cookies have been disabled in the browser.

    2. Your app ends up making multiple requests to the Data Services server, before actually the session for the first request got created.

    3. You are using a load balancer to process requests on the server side. In that case, you need to ensure that request gets always processed by the same node.

     

    I would recommend, you go over my colleague Alex's blog at: http://www.alexglosband.com/2010/03/avoiding-duplicate-session-detecte d-errors-in-lcds-and-blazeds

     

    Hope that helps!

     

    Rohit

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points