3 Replies Latest reply: Nov 29, 2011 1:22 PM by Rohit . Kumar RSS

    Authentication works but not Authorization with Custom Tomcat Login

    RupakKhurana Community Member


      I am following the steps mentioned in LCDS guide on setting up Tomcat (6.0.33) login. The configuration file details are mentioned below... Based on that, my observation is that the user "tomcat" and "rupak" can login successfully. However the remotingService called AdminControlService has security constraint of trustedAdmin and the user rupak or tomcat dont have the roles of twsadmin but the login is successful on amfChannel for these users while I expect it to fail because of the security constraint of trustedAdmin associated with it.. The security constraint trustedAdmin only defines roles for twsadmin so ideally any user that does not have this role should fail login. What am I missing?









        <role rolename="tomcat"/>
        <role rolename="role1"/>
        <role rolename="twsadmin"/>
        <role rolename="twsuser"/>

        <user username="tomcat" password="tomcat" roles="tomcat"/>
        <user username="both" password="tomcat" roles="tomcat,role1"/>
        <user username="role1" password="tomcat" roles="role1"/>
        <user username="rupak" password="pwd123" roles="twsuser"/>






             <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>       
              <security-constraint id="trustedAdmin">


              <security-constraint id="trustedUser">

              <service id="AdvancedMessagingSupport" class="flex.messaging.services.AdvancedMessagingSupport">
                  <default-security-constraint ref="trustedUser"/>

              <service-include file-path="remoting-config.xml" />
              <service-include file-path="proxy-config.xml" />
              <service-include file-path="messaging-config.xml" />
              <service-include file-path="data-management-config.xml" />
              <service class="fiber.data.services.ModelDeploymentService" id="model-deploy-service">
                  <!--default-security-constraint ref="trustedUser"/-->
                 <channel ref="my-rtmp"/>









      <service id="remoting-service"

              <adapter-definition id="java-object" class="flex.messaging.services.remoting.adapters.JavaAdapter" default="true"/>


              <channel ref="my-amf"/>


          <destination id="AdminControlService">
                  <security-constraint ref="trustedAdmin"/>




      mxml & ActionScript



        <s:RemoteObject id="adminService"













      AMFURL = http://<ip>:<HTTPport>/MyServer/messagebroker/amf

      rtmpChannel.addChannel(new RTMPChannel"CustomRTMP", RTMPURL));

      amfChannel.addChannel(new  AMFChannel("myCustomAMF",AMFURL))

      adminService.channelSet = amfChannel;




      private function login(username:String, password:String):void
          //login to RTMP channel
          if(rtmpChannel.authenticated == false){
           token = rtmpChannel.login(username, password);    
           token.addResponder(new AsyncResponder(RTMPLoginResultEvent, RTMPLoginFaultEvent));


        if (amfChannel.authenticated == false)


          tokenAMF = amfChannel.login(username, password);

          tokenAMF.addResponder(new AsyncResponder(AMFLoginResultEvent, AMFLoginFaultEvent));



        • 1. Re: Authentication works but not Authorization with Custom Tomcat Login
          Rohit . Kumar Adobe Employee

          Hi Rupak,


          Logging using a channelset (in your case, "rtmpChannel" / "amfChannel"), the user is simply authenticated using the registered Login Command. The actual user authorization check is not done until the actual call to the destination is made. Even though you have assigned the channelset to the remote object, the ChannelSet.login does not use the associated remoting destination. Only when you actually invoke the actual remoting destination, will the actual user authorization be done.


          Quoting from documentation at http://help.adobe.com/en_US/LiveCycleDataServicesES/3.1/Developing/WSc3ff6d0ea77859461172e 0811f00f7045b-7f36Update.html:

          When a FlexClient tries to log in, LoginCommand.doAuthentication() is called and returns a Principal that is set on the FlexSession object for subsequent requests. Next, as a Flex client tries to call the destination, LoginCommand.doAuthorization is called for each request.


          Hope that helps.



          • 2. Re: Authentication works but not Authorization with Custom Tomcat Login
            RupakKhurana Community Member

            When I invoke the remoting destination, I get the following message... Note my client is AIR application..


            [RPC Fault faultString="Detected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly." faultCode="Server.Processing.DuplicateSessionDetected" faultDetail="null"]


            After a few restarts of the server, I start getting the correct response upon invoking the remoting destination i.e.,

            [RPC Fault faultString="Access denied. User not authorized." faultCode="Client.Authorization" faultDetail="null"]


            dont know why it is behaving correct now..

            • 3. Re: Authentication works but not Authorization with Custom Tomcat Login
              Rohit . Kumar Adobe Employee

              Hi Rupak.    


              Firstly, from your response above, it seems like the original problem (of not carrying out authorization during login) described in the post has been answered/addressed.


              As regards the new problem of getting duplicate session issue, there could be multiple reasons why could this happen. Most of them are:


              1. Cookies have been disabled in the browser.

              2. Your app ends up making multiple requests to the Data Services server, before actually the session for the first request got created.

              3. You are using a load balancer to process requests on the server side. In that case, you need to ensure that request gets always processed by the same node.


              I would recommend, you go over my colleague Alex's blog at: http://www.alexglosband.com/2010/03/avoiding-duplicate-session-detected-errors-in-lcds-and -blazeds


              Hope that helps!