14 Replies Latest reply on Oct 13, 2006 10:07 AM by Jason_the_Mullerite

    login / securing flex

    zorg
      Im sure it can be done - but the examples are supiciously lacking.
      I want to 'secure' my application using flex - the basic examples show me how to create a login screen
      (no brainer there - it a form) but I cant find any docs on the logic to test for or persist a security state???

      any one - please (basic examples)
      thanks
        • 1. Re: login / securing flex
          Marcel_Overdijk
          I'm evaluating Flex 2 and have the same question.
          I need a login form (registering is not needed, this is done by administrators), which checks the username/password in the database. If the user exists and the password is correct, the user enters the application.

          Additionaly I want to store the username, and additional info from the database (like firstname, lastname, type of user, roles) in some kind of session object. This for displaying something like 'Current loggen in user: lastname, firstname', and type of user/roles to enable or disable certain menu-items and panels in the application.

          Any help appreciated.

          I think it would be googd to have a sample application doing something like this. Anyone using Flex for creating a corporate data application needs login functionality.

          Regards,
          Marcel
          • 2. Re: login / securing flex
            ntsiii Level 3
            One reason for the absence of examples is that Flex is not tied to any specific back-end, which is where the authentication logic occurs.

            Search this forum, and google. This has been discussed often.

            Tracy
            • 3. Re: login / securing flex
              Marcel_Overdijk Level 1
              Hi Stacy,

              That's what I did. I searched for login, security, authentication but didn't find any satifying answer.
              Maybe I just missed some good links. Can you maybe point me to them?

              Thanks,
              Marcel
              • 4. Re: login / securing flex
                ntsiii Level 3
                What is your back-end?

                Tracy
                • 5. Re: login / securing flex
                  Marcel_Overdijk Level 1
                  I'm just evaluating Flex currently. But, assume it's a MySQL or Oracle database containing an User, Roles and UserRoles table. The User table contains the users (username, password, firstname, lastname) and the Roles and UserRoles indicate the roles available in the system and which roles are assigned to specific users.

                  Now what I need is a simple Login form for securing the app. Next I like to display some panels and menu-items (simple LinkButtons are enough for now) dependent on the roles assigned to the logged in user. I like to use FDS, because the app will contain some basic CRUD screens to manipulate data. As a Java developer using the HibernateAssembler sounds interesting.

                  Thanks for helping,
                  Marcel
                  • 6. Re: login / securing flex
                    Level 7
                    Start with
                    http://livedocs.macromedia.com/flex/2/fds2javadoc/flex/messaging/security/LoginCommand.htm l.
                    Also search the Flex 2 developer's guide for "LoginCommand". Plenty of
                    information there.

                    --
                    J�rgen Failenschmid


                    • 7. Re: login / securing flex
                      ntsiii Level 3
                      That link didn't work for me. Also, it looks like it is depending on FDS. If you can go that route then that is fine.

                      If not you need to understand that Flex is a client side presentation technology. It does not support direct access to databases or server-side filesystem etc. You will need some middle tier like ColdFusion, PHP, JSP, .NET, etc that can do the server-side work. You communicate between that tier and Flex using one of the RPC protocols, WebService, HTTPService, or RemoteObject.

                      Actual authentication is a server-based functionality.

                      Tracy
                      • 8. Re: login / securing flex
                        GeorgeWS Level 1
                        I have done search after search on this topic. I am using Cold Fusion. But have yet to construct a login that works with Flex. There are no docs showing a simple login app. I have been trying to pass variables to a CFC but no one knows how to do that. I read many different things and non actually work. This is very frustrating; empty incomplete untested answers everywhere. Where are the simple minded real world answers? I think FlashVars would be a good way to go if they actually worked. Sorry just getting very frustrated with no books available and only 3-5 people who can even try and answers questions.
                        • 9. Re: login / securing flex
                          d_erek
                          George, I agree with you. I've been looking for some tested examples to do authentication with webservices. Then storing some 'session' type data on the server.

                          If you find anything, please post it here.
                          • 10. login / securing flex
                            Rendl
                            I had the same problem and found the solution is actually quite straight forward. I use MySQL as my back end and PHP as the application.

                            My user has a login form and when they click submit, it fires of an HTTPrequest to the php site with the login/pass as parameters. The response is an XML page along the lines of:

                            <main>
                            <authenticated>true</authenticated>
                            </main>

                            If a true result is received I simply dispatch an event which triggers the load of a new authenticated view on the client. A constant is set for username.

                            Whilst at the moment I run on clear HTTP, it hopefully wont be too hard to convert to HTTPS. And whilst the security of this could be breached by simply putting hosts file locally for the httpservice and fudging a XML with a true result, it wouldn't allow the user to get any data, which makes it a valueless attack (at least in the case of my app).

                            It would make sense to trigger some additional security on the database for the particular session also to avoid using the hosts file, then removing it so it could grab data. There are many quite simple ways to improve the security of this model to avoid hosts file or DNS spoofing. Can't really think of any other attack vectors (though wouldn't suprise me if someone here points one or two out :))

                            • 11. Re: login / securing flex
                              Marcel_Overdijk Level 1
                              Reading the comments it seems not that simple. I understand Flex is a view technology and that the actual authenticating (in my case checking username/password and returning assigned roles) need to be done server-side.
                              Some questions:
                              - How can I store the assigned roles after an user is logged in.
                              - How to display panels and menu-items dependent of the assigned roles.

                              • 12. login / securing flex
                                Rendl Level 1
                                Your right it isnt that simple, but almost.

                                Once you store the username in a constant and you have set the authenticated event, you can then simply send requests to the application. So I have it like this:

                                State 1: login screen (authenticated=false)
                                - User enters login / pass
                                - HTTPService sends request to webserver which runs Apache/PHP/MySQL. PHP checks on MySQL user DB. If user/pass combo matches, return authenticated=true else authenticated=false.

                                Example HTTPService request against a PHP auth file:
                                quote:


                                <mx:HTTPService id="dbCheck" useProxy="false" url=" http://127.0.0.1/login/login.php?user={loginObject.username}&amp;pass={loginObject.passwor d}"/>


                                Flex client receives the response. If authenticated = true then set a username constant and change state to:

                                State2: Client Application
                                - Fetch data from php/mysql (I actually use ruby on rails for this - though Im a complete rubyrails novice, its like 20 lines of code to achieve something that takes about 200 in PHP).

                                In order to display the view based on the user role etc, you need to program that into the PHP or Ruby application. Whatever you choose it should server up the XML result for the flex client to consume.

                                Say for example you want to create some sort of Human Resources app. Role based controls prohibits all from seeing all, so restricted views etc. So when you want to fetch the data you could do something like this:
                                quote:


                                <mx:HTTPService id="getResults" useProxy="false" url=" http://127.0.0.1/login/getResults.php?session={loginObject.hash}&amp;user={loginObject.use rname}"/>


                                The getResults.php file then checks the database for the userid and session hash. If valid it checks the privileges to determine what data should be returned and then returns a bunch of XML for the flex client.

                                So to summarize, the logic for who sees what is in the DB. PHP or Ruby provides the glue between flex and the DB/data.

                                I will try to get my app sanitized and posted for all to poke holes at :)
                                • 13. Re: login / securing flex
                                  Marcel_Overdijk Level 1
                                  OK. for authenticating I have an idea what I have to do. Alternative is to use JAAS security.

                                  However 1 question is bothering me. My logged in user can have several roles (e.g. Admin, Manager, User). I have a couple of ButtonLinks (a sort of menu) but I want to display some of the links dependent on the role. For example the Admin role has a ButtonLink to add users to the database.

                                  Regards Marcel

                                  BTW: thanks for the previoues aswers
                                  • 14. Re: login / securing flex
                                    Jason_the_Mullerite
                                    Rendl,

                                    That is the best explination that I have ever heard. I have search all over and creating a simple non-FDS login explination is not out there. There are "sample apps" on adobes website but they won't allow you to view the code <soapbox> which makes no sense to me -- don't just show me what I can do, I know that -- show me how to do it </soapbox>.

                                    Anyway I would love for your to post your app so that I can see your code. It would help me out greatly!

                                    Thanks,

                                    Jason