« New FlexUnit Ant Task | Main | Cairngorm 2 + XDoclet2 »
June 30, 2006
Cairngorm 2 Security
It's great to finally see Cairgorm 2 on Adobe Labs. To mark the occassion I thought I would post some code I developed a while back to allow Cairngorm to use secured server-side destinations.
On the server you can configure security contraints in services-config.xml as per the following example , alternatively you can configure security constraints in-line with your destinations.
<security-constraint id="trusted">
<auth-method>Custom</auth-method>
<roles>
<role>guests</role>
<role>accountants</role>
<role>employees</role>
<role>managers</role>
</roles>
</security-constraint>
You can then reference your security contraint in your destinations (data-management-config.xml, messaging-config.xml, proxy-config.xml and remoting-config.xml) as per the following example:
<destination id="loginService">
<properties>
<source>com.adobe.LoginService</source>
</properties>
<security>
<security-constraint ref="trusted" />
</security>
</destination>
The ZIP contains the following files:
- DestinationLocator - subclasses Cairngorm ServiceLocator to support Messaging, Data Management Services and Web Services.
- SecureDestinationLocator - sublcasses DestinationLocator to support user authentication.
The SecureDestinationLocator class provides two public methods, setCredentials() and logout(). When you call setCredentials() the supplied username and password are set on all configured destinations. When you call logout() the user is logged out from all configured destinations. At present SecureDestinationLocator doesn't support remote credentials or setting credentials on individual destinations.
When you set the user's credentials on a service they are applied to the underlying channel not the individual services i.e. the set of services belonging to the channel share the same credentials.
The SecureDestinationLocator will allow you to create a custom login form in your application and use the underlying J2EE security model. The benefits to your application are that you can apply authentication to your server-side destinations and also use role-based authorization. If you are developing a more complex enterprise application, which may have mid-tier business logic that is held in EJBs the user principal, which is created on authentication will be propagated. This allows you to identify the user and to secure you EJBs. The motivation to secure your server-side services often comes from the need to protect your system from malicious hackers, which forces many enterprise applications to undergo penetration testing before they can enter production.
On a wider enterprise scale many of today's J2EE-application servers support Single Sign On (SSO) and integration with Identity Management Solutions.
Posted by at June 30, 2006 10:06 AM
Comments
Does ColdFusion connector have a similiar mechanism?
Posted by: Renaun Erickson at June 30, 2006 5:42 PM
DestinationLocator will indeed be useful.
Direct access to DataService instances through cairngorm is good.
SecureDestination works with CF.
But i'm not a pro yet on CF session credentials management.
I think this solution integrates FDS very well into our existing cairngorm architecture.
Bjorn
Posted by: Bjorn Schultheiss at July 10, 2006 1:59 PM
Sir I want to use Granite pojo Data service, in cairngorm. Instead of flex data service.. so can u guide me
Posted by: Mudassir at December 18, 2007 8:38 AM
Hi Peter,
I am implementing login form using secure connection.
I have updated services-config.xml file, tags to use custom login class.
I am using DataService’s setCredential method to pass credential to server. On Server, doAuthentication method is called and this function returns Principal object.
On server I am getting response as follows:
[Flex] 12/20/2007 14:29:13.774 [DEBUG] [Message.Command.login] Executed command:
service=authentication-service
commandMessage: Flex Message (flex.messaging.messages.CommandMessage)
operation = login
clientId = 107C29D6-0E2F-5973-61DD-7E4F55D30921
destination =
messageId = AD4189DF-D6A3-5F17-E8A2-F6C1FCDC9901
timestamp = 1198141153774
timeToLive = 0
***not printing credentials***
replyMessage: Flex Message (flex.messaging.messages.AcknowledgeMessage)
clientId = 107C29D6-0E2F-5973-61DD-7E4F55D30921
correlationId = AD4189DF-D6A3-5F17-E8A2-F6C1FCDC9901
destination = null
messageId = 107C29D6-0E3F-259D-E33F-CD6370537B91
timestamp = 1198141153774
timeToLive = 0
body = success
hdr(DSId) = 1069C887-F31E-9B3D-ACCD-9842910205CA
[Flex] 12/20/2007 14:29:13.774 [DEBUG] [Endpoint.AMF] Serializing AMF/HTTP response
Version: 3
(Message #0 targetURI=/1/onResult, responseURI=)
(Typed Object #0 'flex.messaging.messages.AcknowledgeMessage')
destination = null
headers = (Object #1)
DSId = "1069C887-F31E-9B3D-ACCD-9842910205CA"
correlationId = "4675F284-F969-EDC7-D178-F6C721BF5425"
messageId = "107C29D6-0E19-2819-2E4D-757AC1DC8E5F"
timestamp = 1.198141153774E12
clientId = "107C29D6-0E08-82C2-AFD9-D8867D66D83D"
timeToLive = 0.0
body = "success"
And in Flex, MessagingAgent’s authenticated property is getting false.
I tried to trap response from server using class AcknowledgeMessage and AbstractService. From these objects I tried to get body from server response, and I am getting body is null.
I am trying to find out solution to following questions:
a) Where we get response of setCredentials method in flex or where did flex gets Principal object retuned by Java/server’s doAuthentication function.
b) Even though acknowledge from server gives login as success, why flex AcknowledgeMessage and AbstractMessage classes are giving authentication as failure.
Any pointer to this is really appreciated.
Thank you,
Parag
Posted by: Parag at December 24, 2007 12:38 PM