tags:

views:

70

answers:

2
+4  Q: 

What are the alternatives for Java authentication?

Preferably something that integrates well with a Flex front end. Yes the Spring Security guys say this is possible, but all examples seem to use legacy jsp tag libraries making them half useless as examples. I don't want to spend a month setting up and learning how to use a security tool. I would like a tool which supports using annotations (@RolesAllowed etc), MINIMAL XML, and 'remember-me' features (not cookie based).

Apache Shiro seems to support Flex/Silverlight/Swing as well but I'd like to know if there are any other alternatives that are NOT container specific.

A: 

I don't see why Flex should authenticate anything, after all that is the client side. Whats stopping someone from decompiling your flash/flex?

For most people Apache Shiro is overkill and they just roll their own. Which isn't the best idea to be honest. I have seen a lot of horrible authentication systems over the years. Cookies are meant to keep track of the session for the client, why use anything else?

Edit: Use spring secuirty for authentication.

Rook  2010-05-08 18:01:08
I think you misunderstand, I don't want Flex itself authenticating anything (and swf hacking is exactly the reason I'm looking for real, server-side security). It's only involvement is the fact that remoting (RemoteObject) calls via Blaze or Granite DS are being used rather than simple form submission, which means that jsp tag examples aren't such good examples.
Crusader  2010-05-08 18:28:00
Also I believe the Spring Security docs talk about an alternative to cookie-based persistence which is more secure (I forget what it's called but I believe it uses a database), and I don't feel cookies integrate very well with a Flex app. And one more thing - authentication isn't so hard (JAAS) but authorization seems to be more problematic.
Crusader  2010-05-08 18:31:12
@Crusader you are a bit confused. It is an absolute requirement that you pass a session id to the web server in order to maintain session state. Weather that state is being kept by a Session Bean or using the database is irrelevant in terms of secuirty. If this session id is leaked to the attacker though xss or sniffing, then that account is compromised. This is why OWASP A3: broken authentication and session management requires the use of HTTPS throughout the entire session.
Rook  2010-05-08 18:54:03
I think you're mixing up old-school web development with Rich Internet Application development. Regardless, this is far off topic and not answering the question at all.
Crusader  2010-05-08 20:37:39
@Crusader - RIA is not much different from old-school development in terms of security. You still have to deal with http(s), and cookies are by far the most common way to authenticate/authorize users. You *can* pass the authentication token in the request instead of a cookie, but then you have to do a bit more work, and its not adding anything to security. And *Cookies don't integrate well with a Flex app* is incorrect - you don't have to do anything to manage cookies. Server will set the cookie, browser will automatically send it with every request, and spring security will do the rest.
sri  2010-05-08 21:15:16
@sri great info.
Rook  2010-05-08 21:59:19
Ok I guess I 'mis-remembered' reading whatever it was in the Spring security docs about cookies, but I still think integrating Spring Security is ridiculously difficult. It took forever just to get basic authentication and authorization working (dependencies are a particularly nasty pain), without even having fancier features like 'remember me' enabled, or using a db to store users. The learning curve just still doesn't cut it. It shouldn't be so difficult.
Crusader  2010-05-15 23:30:39
@Crusader if you want to make an omelet you have to break some eggs.
Rook  2010-05-15 23:43:03
@The Rook I prefer Egg Beaters. =)Sorry though, there's just WAY too much configuration and too many dependencies using Spring security. How many megs of freakin bloated interdependent jar files does it take to create a simple CRUD app with some reasonable security? :/I think Shiro's development philosophy is just hard to beat, so I'll have to go with that, enough with the "Spring sub-project" hype bandwagon. I'm not using anything just because it has the word Spring in front of it.
Crusader  2010-07-22 02:37:43
@Crusader haha, i guess there is nothing wrong with that.
Rook  2010-07-22 03:57:15
At the risk of looking like a salesman, I'd suggest checking out Shiro's mission statement and features sections on their webpage to get a feel for what their goals are. THAT is what I've been looking for in a security framework. I don't know if their goals are simply different from Spring Security's, or if they just achieve them better, but Shiro is different.It's great that someone finally "gets it" and is working on a tool with such goals in mind.https://cwiki.apache.org/SHIRO/about.htmlhttps://cwiki.apache.org/SHIRO/features.html
Crusader  2010-07-31 17:30:53
+1  A: 

Spring Security is by far the best tool out there.

BlazeDS is no magic. It is ultimately just a call to the server over HTTP. The Blaze application is just a war file, and has traditional urls. So, to protect the services, you have to protect the urls in your web.xml / spring configuration files.

Essentially, read the documentation of Spring Security/JAAS, and substitute the jsps with the urls of your blaze services.

Spring Security also has support for Roles and authorization. It also has a remember-me functionality, but that absolutely uses cookies. You cannot have a remember-me functionality without cookies.

Regarding authentication, it is possible to pass the authentication token as a request parameter instead of a cookie. But cookies are recommended, and are a lot easier to get right.

And finally, security is pointless without using https. You absolutely must use https throughout your application if you care about security.

sri  2010-05-08 21:10:45
I don't understand why everyone says Spring Security is so great (or that Shiro is "overkill") when Spring Security has a massive list of dependencies and a steep learning curve.Shiro's goal is to be the 'easiest to use', has almost NO dependencies and jar hell, and very little configuration. Contrasted with the Spring xml fetish I just don't understand how someone could say Shiro is overkill. If anything Spring Security probably has more features, but is much more bloated too.It sounds like these two are the only alternatives out there...
Crusader  2010-05-15 23:34:05

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.