7 Replies Latest reply on Mar 28, 2008 6:38 AM by cxf02

    Integrated Windows Authentication

    pamet
      My company is trying to integrate flex for reports in one big enterprise application built with ASP.NET. This application uses "Integrated Win. Authentication". So each user logs on with his username on the domain. Application automaticaly can see user's login information and check it agains the database for permissions.

      Is something like this possible with FLEX? I want to forbid user's to see reports if they don't have the right permissions.

      P.S. Ofcourse the application and integrated flex reports are meant to be run in IE only.
        • 1. Re: Integrated Windows Authentication
          slaingod Level 1
          Presumably you would need to write a web service interface in between the authentication and Flex. Meaning this is something you would do on the server side, in ASP or PHP or Ruby or whatever, and then only send the data if they were allowed to see it.

          In general you would never do security checking/management/anything besides asking for their password/username in Flex/Flash/HTML/Javascript or whatever and passing it back to the server, as these can all be decompiled/source viewed and easily broken.
          • 2. Re: Integrated Windows Authentication
            pamet Level 1
            First thanks for your response. Secondly, I think I was not clear enough in my first post.

            Of course, there will be an asp.net web service in between database and flex. What I want to do here is not prompt user for their credentials, but to extract his domain logon programatically. In asp.net you can do that on the server side by extracting it from the Request object. Flex app is executed on the client so I think there must be some way to do this. Am I right? I can't let users log in twice.
            • 3. Re: Integrated Windows Authentication
              jylaxx
              I dont' think it is very different with Flex. You can add the same informations in the html page containing your Flex module and then use ExternalInterface or Application.application.parameters to get them.
              • 4. Integrated Windows Authentication
                pamet Level 1
                Ok. So, if I understood you correctly something like this is possible:

                1. With the use of ExternalInterface I can call javascript function on the page.
                2. Javascript function would then with the use of AJAX made a call to the server and read logon info from the Request object.
                3. Javascript function would return that information to my flex embeded app.
                4. Flex app would do authentication by calling a web service and providing this login information.

                Thank you.
                • 5. Re: Integrated Windows Authentication
                  cxf02 Level 1
                  It sounds as though you want to obtain the users login from the client machine and then send it to the server, expecting that the server will have the user login within its domain. However, just like with network services between windows computers (shared drives for instance) there will have to be authentication between the client and the server for the user credentials.

                  The real issue is, can your FLEX application "talk" to your client machine, get what it needs, and then pass it to the server. The ExternalInterface can be used to reach the browser API and DOM, but, what in the Browser allows you to get the users credentials from the OS? That is the question that needs to be researched. Looking at both the Application, the Security object and various other sandbox objects tells me this can be done, but what the best route is, I can't say.

                  You will need a layer to abstract whatever OS the user is attempting to login from, or restrict the OS if it is a single type. You will need a wrapper object (if one exists already in FLEX, I don't know) to call system API's either through the browser or directly. Once you have the data from the system, it's not an issue to send it to the server and wait for authentication. But getting it through the protective sandbox of the PLAYER is the issue.

                  Just food for thought, this is the second post i have seen about this topic. Read up on AIR security and you might find that building an AIR app might work better for an intranet situation.

                  Cheers,,
                  • 6. Re: Integrated Windows Authentication
                    pamet Level 1
                    Well... I can't use AIR, cause we were thinking of just upgrading our ASP.NET applications with a little embeded FLEX, mainly for reporting because of FLEX's nice charting capabilities.

                    (Btw. just to be clear here on the restrictions of OS, web server and browser. Our enterprise applications were built to run on Microsoft platforms _only_. So it's always Windows, IE and IIS in question here.)

                    What you said about obtaining data from the client would be shorter route from what I wrote in my previous post, cause then I wouldn't need to make this AJAX call to the server. But I don't know how to achieve that and can't find any info.

                    IE has the information I'm looking for. When you have "Integrated windows authentication" checked on the IIS, IIS will accept the windows/domain login information from the IE. I don't know the way to extract that info from the IE, but I can do it like I wrote in my last post. If it's possible ofcourse. I hope I understood correctly what other guy here wrote and I what I just red on the net.
                    • 7. Integrated Windows Authentication
                      cxf02 Level 1
                      That sounds like a way to do it: PLAYER-->JavaScriptIE-->Server-->
                      Authentication-->IEJavaScript-->PLAYER-->Logged In Success or Failure

                      Works for me!