tags:

views:

456

answers:

1
Q: 

BlazeDS 3.2.0 and JBoss 5.1 DatabaseServerLoginModule

Has anyone that is using BlazeDS RemoteObject been able to retrieve the authenticated user roles through JBoss DatabaseLoginModule login policy?

I'm using using BlazeDS 3.2.0 and JBoss 5.1. I can successfully authenticate but I, users with unauthorized roles are still able to login. I've changed the Realm in default/jbossweb.sar/server.xml "strict" as shown below:

<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" allRolesMode="strict" />

The same login module is being used in other web apps and it works just fine. In default/conf/login-config.xaml I have:

<application-policy name="MyPolicy">
    <authentication>
        <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
            <module-option name = "dsJndiName">java:/DefaultDS</module-option>
            <module-option name = "principalsQuery">SELECT PASSWD FROM USERS WHERE USER_ID=?</module-option>
            <module-option name = "rolesQuery">SELECT ROLE_ID, 'Role' FROM ROLES WHERE USER_ID=?</module-option>
            <module-option name= "hashUserPassword">true</module-option>
            <module-option name= "hashAlgorithm">SHA-256</module-option>
            <module-option name= "hashEncoding">base64</module-option>
         </login-module>
     </authentication>
</application-policy>

Other details: - WEB-INF/jboss-web.xml

<jboss-web>
    <security-domain flushOnSessionInvalidation="false">java:/jaas/MyPolicy</security-domain> 
</jboss-web>

WEB-INF/context.xml

<Context>
    <Valve className="flex.messaging.security.TomcatValve" /> 
</Context>

WEB-INF/flex/services-config.xml

<security>
  <login-command class="flex.messaging.security.TomcatLoginCommand" server="JBoss">
     <per-client-authentication>false</per-client-authentication> 
  </login-command>
  <security-constraint id="custom-admin-access">
    <auth-method>Custom</auth-method> 
    <roles>
         <role>ADMIN</role> 
    </roles>
   </security-constraint>
</security>

WEB-INF/flex/remoting-config.xml

<destination id="MyRemoteService">
    <properties>
        <source>test.blazeds.MyRemoteService</source> 
        <scope>session</scope> 
    </properties>
    <security>
        <security-constraint ref="custom-admin-access" /> 
    </security>
</destination>

I know I could try to implement my own JDBC based Tomcat Realm but that's something like I would like to avoid since JBoss also provides other login-modules, such as LDAP, that I might come to use in the future.

Thanks, B.

A: 

I went ahead and download the BlazeDS source code and after some debugging I realized that it might have just been me and my expectations when it came to the login behavior. Still, I'm a little bit confused about it and maybe someone can clarify me in the actual process since BlazeDS documentation does not explain it in a clear way.

My configuration is very simple, one amf destination for RemoteObejct usage and one security-constraint with the allowed roles. In this scenario I was expecting the ChannelSet.login to fail if the user does not include the expected roles. Instead, the login succeeds which, in my current design allows the user to proceed.

After debugging I realized that TomcatLoginCommand.isUserInRole method is only called after a RemoteObject method is called but never during the ChangeSet.login command. To confirm it, I associated security-constraints with some methods of the destination (see below - as shown in the documentation). As expected, the RemoteObject method would not be called when logging in with a user that did not have the given roles but all was good if the role was present.

<destination ...>
...
    <include-methods>
      <method name="fooMethod"/>
      <method name="barMethod" security-constraint="custom-admin-access"/>
    </include-methods>
...
</destination>

Based on this, my questions still are: Is this the intended behavior? Shouldn't ChangeSet.login fail immediately if the authenticated user does not participate in the allowed set of roles?

bmsantos  2010-02-09 03:36:26

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.