16 Replies Latest reply: Dec 2, 2011 9:13 AM by drrevis RSS

    Glassfish v3, BlazeDS, and authentication.

    jptech-ryan Community Member

      Hi,

       

      I'm looking for documentation about how to configure BlazeDS security with Glassfish v3.  I've found this:

       

      http://anachronymous.com/2009/01/flex-blazeds-and-glassfish-part-1.html

       

      ...but it's for Glassfish v2.  Most of it should be the same, but some of the TomcatValve stuff has changed for Glassfish v3:

       

      http://blogs.sun.com/jluehe/entry/glassfish_v3_adds_support_for

       

      Should I be able to ignore the valve configuration and simply use TomcatLoginCommand since Glassfish v3 is supposed to support Tomcat style valves?  I tried adding the following to services-config.xml:

       

      <security>
          <login-command class="flex.messaging.security.TomcatLoginCommand" server="all"/>

      </security>

       

      ...but upon deployment I get the following error:

       

      javax.servlet.UnavailableException: Cannot create class of type 'flex.messaging.security.TomcatLoginCommand'.

       

      Can anyone point me in the right direction?

       

      Ryan

        • 1. Re: Glassfish v3, BlazeDS, and authentication.
          jptech-ryan Community Member

          I think I've almost worked through this, but am still stuck.  First, what I've done:

           

          I'm using Maven and didn't have blazeds-opt as a dependecy in my .war assembly.  Adding it provides the TomcatLoginCommand class that was missing.

           

          After adding the above I was still missing the TomcatValve class.  From what I can tell it's necessary for me to get flex-tomcat-common.jar on the classpath.  I've tried adding it to WEB-INF/lib and to GLASSFISH_HOME/glassfish/domains/domain1/lib.  Neither seem to work.

           

          I've also seen a couple references to adding flex-tomcat-server.jar when using Tomcat, so I've tried adding it the same as flex-tomcat-common.jar.

           

          I've tried defining a TomcatValve in sun-web.xml, but I have no idea where the valve_1 property name comes from.  I simply copied it from the example blog I linked above.

           

          <sun-web-app>
              <property name="valve_1" value="flex.messaging.security.TomcatValve"/>
          </sun-web-app>
          

           

          Whenever I try to log in I'm getting the error:

          Fault on login [FaultEvent fault=[RPC Fault faultString="Please set up a TomcatValve as described in the documentation." faultCode="Server.Processing" faultDetail="null"] messageId="37BDF419-600D-4BCE-8E93-389276905A18" type="fault" bubbles=false cancelable=true eventPhase=2]

          Since Glassfish v3 is supposed to support Tomcat style valves, I was thinking it should be easy to get working.  Any help that anyone can give me would be appreciated.

           

          I'd also be appreciative if anyone can give any links to documentation that gives a high level description of the login process.  I read through most of the sources, but, by the time I get all the way back to the application server, it feels like the actual login process has jumped through a ton of hoops.  Why does it have to be so complicated?

          • 2. Re: Glassfish v3, BlazeDS, and authentication.
            BatistutaGab Community Member

            Hi,

             

            Have you found a solution at your problem?

             

            I want to make an authentification with a login, but actually I'm not able to do something...

             

             

            thanks

            • 3. Re: Glassfish v3, BlazeDS, and authentication.
              BatistutaGab Community Member

              Actually, I work with the glassfish and I deploy the blazeDS.war on it . I'm able to call the blazeDS with my flex client. The responses are correct.

               

              Now i'd like to secure my connexion with a Basic authentification. To achieve this, I modify my services-config.xml and add this lines :

              <security>
                      <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>
                        <security-constraint id="managementSecurity">
                             <auth-method>Basic</auth-method>
                        </security-constraint>
              </security>
              

              I have any role, because I only want to authentificate my client? That all!

               

              And in my remoting-config.xml, I have :

              <?xml version="1.0" encoding="UTF-8"?>
              <service id="remoting-service" 
                  class="flex.messaging.services.RemotingService">
              
                  <adapters>
                      <adapter-definition id="java-object" class="flex.messaging.services.remoting.adapters.JavaAdapter" default="true"/>
                  </adapters>
              
                  <default-channels>
                      <channel ref="my-amf"/>
                  </default-channels>
                   
                   <destination id="UserManagement">
                        <properties>
                             <source>Application.UserManagement</source>
                             <scope>application</scope>
                        </properties>
                        
                        <security>
                             <security-constraint ref="managementSecurity"/>
                        </security>
                        
                        <channels>
                             <channel ref="my-amf"/>
                        </channels>
                   </destination>
              
              </service>
              

               

              When I apply this and I call again blazeDS with my Flex application, a windows asks me a 'login' and 'password'. I suppose that it's a user describe by my Glassfish server but I have no idea of where I can find this. Could you tell me what's this famous LOGIN?

               

              By the way, I'm not able to create a 'custom authentification' with glassfish. If someone have some tutorials or helps, I would be glad.

               

              Thank you very much

              • 4. Re: Glassfish v3, BlazeDS, and authentication.
                jptech-ryan Community Member

                I just typed out a nice long response and lost it.  I usually hit ctrl+a, ctrl+c before posting in case my session has timed out.  My finger slipped off of ctrl right before I hit c :-(

                 

                Here's a post I made to the Glassfish forums.  It has a few good responses:

                 

                http://forums.java.net/jive/thread.jspa?threadID=74296

                 

                Can you elaborate on what kind of solution you're trying to come up and what you're having trouble with?  Can you get BASIC authentication to work with a simple web.xml configuration that sets your .swf as a protected resource?  I found that to be a good starting point.

                 

                I'm still watching this thread, so feel free to post again and I'll try to help if I can.

                • 5. Re: Glassfish v3, BlazeDS, and authentication.
                  BatistutaGab Community Member

                  Thanks for you answoord!

                   

                  Actually, if I run my client flex with the BASIC authentification, a windows asks me a login and password. unfortunetly, I don't know this login. Do you tkink that's a default login of Glassfish?

                   

                  I'll read your post.

                  • 6. Re: Glassfish v3, BlazeDS, and authentication.
                    jptech-ryan Community Member

                    Hey BatistutaGab,

                     

                    I didn't see you replied again before I posted.  What happens when you enter a username and password?  Do you get an error or does it just keep asking in a continuous loop?

                     

                    Is there any info in your Glassfish logs (server.log)?  I gave up on the BlazeDS config a while ago, so I'm not positive how to configure it.  One thing I don't see in your configuration are any role mappings.  It sounds like you're struggling with the Glassfish side of things a little, so I'll post some info on a really simple configuration for you.

                     

                    I'll be back soon...

                    • 7. Re: Glassfish v3, BlazeDS, and authentication.
                      BatistutaGab Community Member
                      What happens when you enter a username and password?  Do you get an error or does it just keep asking in a continuous loop?

                      It asks me in a continuous loop...

                      I have no error in mu server.log.

                      One thing I don't see in your configuration are any role mappings.

                      Where do you describe your roles? In wich file?

                       

                      Thank again for you help.

                       

                      I'm wainting ;-)

                      • 8. Re: Glassfish v3, BlazeDS, and authentication.
                        jptech-ryan Community Member

                        I'll assume you've got Glassfish using the default 'file' realm for authentication.  If not you'll have to adapt my instructions to the realm you're using.

                         

                        1) Load the glassfish admin console.

                        2) Navigate to 'Configuration -- Security -- Realms -- file'.

                        3) Select 'Manage Users' near the top left.

                        4) Select 'New'

                        5) Add the user 'tech'.  In the 'Group List' put 'tech'.  Use any password you like.

                        6) Select 'OK' to save your user.

                        7) Navigate to 'Configuration -- Security'.

                        8) Enable 'Default Principal To Role Mapping'.  I can't remember why I have this enabled, so feel free to research it a bit.

                        9) Select 'Save' to save the changes.

                         

                        Here is a complete copy of a simple web.xml that I've used:

                         

                        <?xml version="1.0" encoding="UTF-8"?>
                        
                        <web-app xmlns="http://java.sun.com/xml/ns/javaee"
                                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
                                 version="2.5">
                        
                            <display-name>ITMA Web App</display-name>
                        
                            <!-- Http Flex Session attribute and binding listener support -->
                            <listener>
                                <listener-class>flex.messaging.HttpFlexSession</listener-class>
                            </listener>
                        
                            <!-- MessageBroker Servlet -->
                            <servlet>
                                <display-name>MessageBrokerServlet</display-name>
                                <servlet-name>MessageBrokerServlet</servlet-name>
                                <servlet-class>flex.messaging.MessageBrokerServlet</servlet-class>
                                <init-param>
                                    <param-name>services.configuration.file</param-name>
                                    <param-value>/WEB-INF/flex/services-config.xml</param-value>
                                </init-param>
                                <load-on-startup>1</load-on-startup>
                            </servlet>
                        
                            <servlet-mapping>
                                <servlet-name>MessageBrokerServlet</servlet-name>
                                <url-pattern>/messagebroker/*</url-pattern>
                            </servlet-mapping>
                        
                            <welcome-file-list>
                                <welcome-file>itma-flex-ui-blazeds.swf</welcome-file>
                            </welcome-file-list>
                        
                            <login-config>
                                <auth-method>BASIC</auth-method>
                                <realm-name>file</realm-name>
                            </login-config>
                        
                            <security-role>
                                <role-name>tech</role-name>
                            </security-role>
                        
                            <security-constraint>
                                <web-resource-collection>
                                    <web-resource-name>Flex UI</web-resource-name>
                                    
                                    <url-pattern>/messagebroker/*</url-pattern>
                                    <http-method>GET</http-method>
                                    <http-method>POST</http-method>
                                </web-resource-collection>
                        
                                <auth-constraint>
                                    <role-name>tech</role-name>
                                </auth-constraint>
                            </security-constraint>
                        
                        </web-app>
                        

                         

                        Note the MessageBrokerServlet configuration, specifically the <servlet-name>.  You probably have something similar.  The <servlet-mapping> means all requests to urls like 'http://my.domain.com/contextroot/messagebroker/amf' will be processed by the MessageBrokerServlet.   The <security-constraint> configuration restricts all requests to '/messagebroker/*'.  Basically all requests to the MessageBrokerServlet will require authentication.

                         

                        All of the roles in your application need to get listed in  the <security-role> section.  Each role needs to be mapped to a 'Principal' on the Glassfish server.  I'm not positive, but I think the 'Default Principal To Role Mapping' will automatically map users defined as being of the role 'tech' to the 'tech' user (principal) or possibly the 'tech' group.  I'm a little unclear on how it works with the group list.

                         

                        The final parts are the <login-config> and <auth-constraint> sections.  The login config defines the realm to use (file in this example).  The auth-constraint section says that access to the listed resources should be restricted to users in the 'tech' role.

                         

                        The whole process is something like this:

                         

                        1) Only users in the role 'tech' can access urls that match /messagebroker/*.

                        2) The role of tech is defined and mapped to a principal (or group of principals) within the file realm on the server.

                        3) The 'Default Principal To Role Mapping' option in glassfish automatically maps the tech role to the tech principal (user) or group (I'm not actually sure which one).  I think you'd normall need to configure this somewhere and map the roles in your flex application to groups in your security realm.

                         

                        Try creating a configuration like the above.  Ignore the BlazeDS portion of the configuration to start with and see if you can get it working with just web.xml.  After you get that working and know you can actually authenticate to the container (Glassfish), then you can go back to trying to get the BlazeDS side of things configured / mapped.

                         

                        I hope that helps,

                        Ryan

                        • 9. Re: Glassfish v3, BlazeDS, and authentication.
                          jptech-ryan Community Member

                          I should have been a little more clear that the example I listed above isn't necessarily the type of configuration you'll want for things

                          to work with BlazeDS, but it should work for you to ensure you have the backend (Glassfish) portion of the configuration working correctly.

                          • 10. Re: Glassfish v3, BlazeDS, and authentication.
                            BatistutaGab Community Member

                            I followed your instructions. Now, when I make a request with my flex client, it doesn't ask me any login/password and I can acces at me application without login/password...

                             

                             

                            I disable the part of security configuration of blazeDS and I copy you web.xml in my domain/application/blazeds/WEB-INF/web.xml .

                             

                            What is wrong?

                            • 11. Re: Glassfish v3, BlazeDS, and authentication.
                              jptech-ryan Community Member

                              If it's not triggering the BASIC authentication then your Flex application must not be accessing /messagebroker/*.  Do you have any other servlets mapped that could be getting used for your channel configs?

                              • 12. Re: Glassfish v3, BlazeDS, and authentication.
                                BatistutaGab Community Member

                                No, I have only one servlet.

                                 

                                Maybe, you could show me your service-config.xml and you remoting-service.xml?

                                 

                                Thank again for your help

                                • 13. Re: Glassfish v3, BlazeDS, and authentication.
                                  jptech-ryan Community Member

                                  I haven't learned all the options and cleaned them up.  They're hacked together from samples I've seen all over the internet.  They're probably the minimum required to get anything to run.  Feel free to make suggestions.  I'm sure both can be improved (I'm more of a Java person than a Flex person - for now

                                   

                                  services-config.xml

                                   

                                  <?xml version="1.0" encoding="UTF-8"?>
                                  <services-config>
                                       <services>
                                            <service-include file-path="remoting-config.xml"/>
                                       </services>
                                  
                                       <channels>
                                            <channel-definition id="main-channel" class="mx.messaging.channels.AMFChannel">
                                                 <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
                                                 <properties>
                                                      <polling-enabled>false</polling-enabled>
                                                 </properties>
                                            </channel-definition>
                                       </channels>
                                  
                                       <factories>
                                            <factory id="ejb3" class="com.adobe.ac.ejb.EJB3Factory" />
                                       </factories>
                                  
                                       <logging>
                                            <target class="flex.messaging.log.ConsoleTarget"
                                                      level="Error">
                                                 <properties>
                                                      <prefix>[BlazeDS]</prefix>
                                                      <includeDate>true</includeDate>
                                                      <includeTime>false</includeTime>
                                                      <includeLevel>true</includeLevel>
                                                      <includeCategory>true</includeCategory>
                                                 </properties>
                                                 <filters>
                                                      <pattern>Endpoint.*</pattern>
                                                      <pattern>Service.*</pattern>
                                                      <pattern>Message.*</pattern>
                                                      <pattern>DataService.*</pattern>
                                                      <pattern>Configuration</pattern>
                                                 </filters>
                                            </target>
                                       </logging>
                                  
                                       <system>
                                            <redeploy>
                                                 <enabled>true</enabled>
                                                 <watch-interval>20</watch-interval>
                                                 <watch-file>{context.root}/WEB-INF/flex/services-config.xml</watch-file>
                                                 <watch-file>{context.root}/WEB-INF/flex/remoting-config.xml</watch-file>
                                                 <watch-file>{context.root}/WEB-INF/flex/messaging-config.xml</watch-file>
                                                 <touch-file>{context.root}/WEB-INF/web.xml</touch-file>
                                            </redeploy>
                                       </system>
                                  </services-config>
                                  

                                   

                                  remoting-config.xml

                                   

                                  <?xml version="1.0" encoding="UTF-8"?>
                                  <service id="remoting-service" class="flex.messaging.services.RemotingService">
                                  
                                       <adapters>
                                            <adapter-definition id="java-object"
                                                                     class="flex.messaging.services.remoting.adapters.JavaAdapter"
                                                                     default="true"/>
                                       </adapters>
                                  
                                       <default-channels>
                                            <channel ref="main-channel"/>
                                       </default-channels>
                                  
                                       <destination id="echoService">
                                            <properties>
                                                 <factory>ejb3</factory>
                                                 <source>java:app/services-core/EchoServiceBean</source>
                                            </properties>
                                       </destination>
                                  
                                       <destination id="customerService">
                                            <properties>
                                                 <factory>ejb3</factory>
                                                 <source>java:app/services-core/CustomerServiceBean</source>
                                            </properties>
                                       </destination>
                                  </service>
                                  
                                  • 14. Re: Glassfish v3, BlazeDS, and authentication.
                                    BatistutaGab Community Member

                                    Hi,

                                     

                                    I don't understand, I have exactly the same configuration as you and it doesn't work..

                                     

                                    Thank again for your help. I've created a discution at this url : http://forums.java.net/jive/thread.jspa?threadID=76002

                                     

                                    You can join us if you want or you can write here ...

                                     

                                    Batistuta
                                    • 15. Re: Glassfish v3, BlazeDS, and authentication.
                                      Barryzhong Community Member

                                      Hi Ryan,

                                       

                                      If this problem still bothers you, you can refer to this article, http://www.iteye.com/topic/1117877

                                       

                                      I hacked TomcatValve.java, and everything works fine now.

                                      • 16. Re: Glassfish v3, BlazeDS, and authentication.
                                        drrevis Community Member

                                        I think I'm running into this same problem and would love to try the jar files with your fix, but when I try to download them, it wants me to login.  Are they accessible somewhere else that doesn't require a login?

                                         

                                        I also tried to download the latest nightly build for BlazeDS (4.6.0.xxx) thinking that the problem may have been fixed there, but it complains about not finding the server flexorg.wip3.adobe.com.  Is the problem fixed in those builds and if so, are the downloads accessible from somewhere else?

                                         

                                        BTW, I had everything working previously, but now that I've upgraded the glassfish server, etc. the error I get when I try to authenticate is:

                                         

                                        [#|2011-12-02T11:20:18.987-0500|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.en terprise.server.logging|_ThreadID=25;_ThreadName=Thread-3;|[BlazeDS]Deserializing AMF/HTTP request

                                        Version: 3

                                          (Message #0 targetURI=null, responseURI=/5)

                                            (Array #0)

                                              [0] = (Typed Object #0 'flex.messaging.messages.CommandMessage')

                                            operation = 8

                                                correlationId = ""

                                                destination = "auth"

                                                clientId = null

                                                timestamp = 0

                                                headers = (Object #1)

                                                  DSEndpoint = "my-amf"

                                                  DSId = "F2F6DEFD-4708-542F-E3BF-7AE2D9218A97"

                                                messageId = "7085C0ED-AFB3-C8ED-45EC-FF93899BA917"

                                                body = "bHNhZG1pbjpwYXNz"

                                                timeToLive = 0

                                        |#]

                                         

                                        [#|2011-12-02T11:20:18.994-0500|INFO|glassfish3.1.1|javax.enterprise.system.std.com.sun.en terprise.server.logging|_ThreadID=25;_ThreadName=Thread-3;|[BlazeDS]Serializing AMF/HTTP response

                                        Version: 3

                                          (Message #0 targetURI=/5/onStatus, responseURI=)

                                            (Typed Object #0 'flex.messaging.messages.ErrorMessage')

                                              headers = (Object #1)

                                              rootCause = null

                                              body = null

                                              correlationId = "7085C0ED-AFB3-C8ED-45EC-FF93899BA917"

                                              faultDetail = null

                                              faultString = "There was an unhandled failure on the server. org.apache.catalina.Realm.authenticate(Ljava/lang/String;Ljava/lang/String;)Ljava/securit y/Principal;"

                                              clientId = "F2F7331A-7B1C-A69C-E6D9-D1792EE0ED1B"

                                              timeToLive = 0.0

                                              destination = "auth"

                                              timestamp = 1.322842818991E12

                                              extendedData = null

                                              faultCode = "Server.Processing"

                                              messageId = "F2F73324-3F0E-1787-341C-5E1CB73DBD73"

                                        |#]

                                         

                                         

                                        I'm hoping this is the same problem.  Thanks for any help!

                                         

                                        Renee