Cairngorm 2 Security

It’s great to finally see Cairgorm 2 on Adobe Labs. To mark the occassion I thought I would post some code I developed a while back to allow Cairngorm to use secured server-side destinations.

On the server you can configure security contraints in services-config.xml as per the following example , alternatively you can configure security constraints in-line with your destinations.

Customguestsaccountantsemployeesmanagers

You can then reference your security contraint in your destinations (data-management-config.xml, messaging-config.xml, proxy-config.xml and remoting-config.xml) as per the following example:

com.adobe.LoginService

The ZIP contains the following files:

  • DestinationLocator – subclasses Cairngorm ServiceLocator to support Messaging, Data Management Services and Web Services.
  • SecureDestinationLocator – sublcasses DestinationLocator to support user authentication.

The SecureDestinationLocator class provides two public methods, setCredentials() and logout(). When you call setCredentials() the supplied username and password are set on all configured destinations. When you call logout() the user is logged out from all configured destinations. At present SecureDestinationLocator doesn’t support remote credentials or setting credentials on individual destinations.

When you set the user’s credentials on a service they are applied to the underlying channel not the individual services i.e. the set of services belonging to the channel share the samecredentials.

The SecureDestinationLocator will allow you to create a custom login form in your application and use the underlying J2EE security model. The benefits to your application are that you can apply authentication to your server-side destinations and also use role-based authorization. If you are developing a more complex enterprise application, which may have mid-tier business logic that is held in EJBs the user principal, which is created on authentication will be propagated. This allows you to identify the user and to secure you EJBs. The motivation to secure your server-side services often comes from the need to protect your system from malicious hackers, which forces many enterprise applications to undergo penetration testing before they can enter production.

On a wider enterprise scale many of today’s J2EE-application servers support Single Sign On (SSO) and integration with Identity Management Solutions.

4 Responses to Cairngorm 2 Security

  1. Does ColdFusion connector have a similiar mechanism?

  2. Bjorn Schultheiss says:

    DestinationLocator will indeed be useful.Direct access to DataService instances through cairngorm is good.SecureDestination works with CF.But i’m not a pro yet on CF session credentials management.I think this solution integrates FDS very well into our existing cairngorm architecture.Bjorn

  3. Mudassir says:

    Sir I want to use Granite pojo Data service, in cairngorm. Instead of flex data service.. so can u guide me

  4. Parag says:

    Hi Peter,I am implementing login form using secure connection.I have updated services-config.xml file, tags to use custom login class.I am using DataService’s setCredential method to pass credential to server. On Server, doAuthentication method is called and this function returns Principal object.On server I am getting response as follows:[Flex] 12/20/2007 14:29:13.774 [DEBUG] [Message.Command.login] Executed command:service=authentication-servicecommandMessage: Flex Message (flex.messaging.messages.CommandMessage)operation = loginclientId = 107C29D6-0E2F-5973-61DD-7E4F55D30921destination =messageId = AD4189DF-D6A3-5F17-E8A2-F6C1FCDC9901timestamp = 1198141153774timeToLive = 0***not printing credentials***replyMessage: Flex Message (flex.messaging.messages.AcknowledgeMessage)clientId = 107C29D6-0E2F-5973-61DD-7E4F55D30921correlationId = AD4189DF-D6A3-5F17-E8A2-F6C1FCDC9901destination = nullmessageId = 107C29D6-0E3F-259D-E33F-CD6370537B91timestamp = 1198141153774timeToLive = 0body = successhdr(DSId) = 1069C887-F31E-9B3D-ACCD-9842910205CA[Flex] 12/20/2007 14:29:13.774 [DEBUG] [Endpoint.AMF] Serializing AMF/HTTP responseVersion: 3(Message #0 targetURI=/1/onResult, responseURI=)(Typed Object #0 ‘flex.messaging.messages.AcknowledgeMessage’)destination = nullheaders = (Object #1)DSId = “1069C887-F31E-9B3D-ACCD-9842910205CA”correlationId = “4675F284-F969-EDC7-D178-F6C721BF5425″messageId = “107C29D6-0E19-2819-2E4D-757AC1DC8E5F”timestamp = 1.198141153774E12clientId = “107C29D6-0E08-82C2-AFD9-D8867D66D83D”timeToLive = 0.0body = “success”And in Flex, MessagingAgent’s authenticated property is getting false.I tried to trap response from server using class AcknowledgeMessage and AbstractService. From these objects I tried to get body from server response, and I am getting body is null.I am trying to find out solution to following questions:a) Where we get response of setCredentials method in flex or where did flex gets Principal object retuned by Java/server’s doAuthentication function.b) Even though acknowledge from server gives login as success, why flex AcknowledgeMessage and AbstractMessage classes are giving authentication as failure.Any pointer to this is really appreciated.Thank you,Parag