views:

88

answers:

1

I have a set of RESTful web services. These services are protected on a Glassfish server by OpenSSO. When I attempt to call the RESTful services directly from a browser, OpenSSO intercepts the request, then forwards the request to the REST service once the user's credentials are authenticated. OpenSSO utilizes a session cookie on subsequent requests (until the session is invalidated) . I'm sure this piece is working correctly.

We'd like to call these services from a Flex client. In order to enable PUT and DELETE operations, we set up BlazeDS to proxy the RESTful requests from the flex client to the REST service. When security to the RESTful services is disabled, this piece works great.

Now we're trying to secure the entire application. We've placed the Flex SWF into a war and deploy to Glassfish. We've placed security around this resource and when a user attempts to download the SWF (through an HTML link in the war), OpenSSO intercepts the request, then forwards to the application on successful authorization (just like it does for the RESTful web services).

The problem is - the RESTful calls made by the Flex application (via BlazeDS) are failing. OpenSSO seems to be intercepting these requests as well and again asking for the users credentials. It doesn't seem the authentication cookies are being passed to (or maybe by) the BlazeDS proxy.

How can I can access the cookies returned by the original SSO authorization request and have BlazeDS pass them along to the RESTful web service?

+1  A: 

Use firebug or any http proxy to check the following things -

  1. Are the blaze server and webserver on the same domain? If not, the browser will not send the cookies to blaze server.
  2. Are the two servers on the same server but different ports? Different ports are considered a violation of same origin policy by some browsers, and the cookie will not be sent to the server.
  3. What is the path set in the SSO cookie? If it is set to a specific path, the browser will not send the coookie to the blaze server.

If the browser is sending the SSO cookie, then you need to provide additional details about your SSO server before someone can help you.

sri