BlazeDS FlexContext FlexClient ID Security

I need to find out if the identifier returned by the function call FlexContext.getFlexClient().getId(); is a secure identifier, as I understand it, each Flash/Flex Client (Player) is assigned the Client ID upon first connection (tested this from the same browser in different tabs and a different Client ID is give to each player).
I have also been told that this Client ID may or may not be directly related to the IP Address and the MAC Address of the pc that originally connected to the server.
The use case for this is the following...
The User enters login details into a login form.
Those login details are passed through a SecureAMF Channel (over https) to the BlazeDS server.
The details are verified against the database, and upon successful authentication, is assigned a session token.
The session token is not delivered back to the flex client, but instead if held server side.
What we then do is upon receiving any function calls from the flex client, we get the FlexContext.getFlexClient().getId(); unique client id, and lookup this identifier to see if there is a session token associated with it, if there is than the server knows that the user is authenticated, after that the server does permission checks to see if the user has access rights to use that particular function call.
Now this whole process only works if the Client ID is absolutely secure that there is no way possible to spoof or steal the ID in anyway and use that from another flex client.  Unfortionetly, I have not had any success whatsoever searching the internet to obtain any information related to the client id and how its generated.
The other alternative, which is a slightly unappealing alternative, would be to pass the session token from the flex client to the BlazeDS server, on every remoteObject function call.  Although I believe its possible to store the session token in the FlexContext itself, but again there is no documentation on the security of these solutions.
If anyone has any knowledge at all about this I would be very grateful.
Is the Client ID delivered to the Flex Client (Flash Player or Air App) through a secure HTTPS or encrypted channel so that no one can possibly steal the id?

Well this certainly makes things difficult, is there no one out their at all that can tell me if the ClientID is secure?

Similar Messages

  • BlazeDS amf-polling on secure channel

    I tried using blazeDS amf-polling via https, and it doesnt work. amf (remote object) works through securechannel, but amf-polling does not. Is there a way to make amf-polling work on https?

    Hi,
    Here's my scenario.
    On click of a button, I'm making a remote call (secure-amf) which gives me a status code[the secure-amf works as expected]
    based on this status code, I'm polling to get a value. The polling happens at the secure channel.
    The polling however doesn't happen. I see the error "(ERROR_INTERNET_UNABLE_TO_CACHE_FILE)" in IEWatch.
    I can see that there are no logs from the polling class. Any help on this would be appreciated.
    Here's my code;
    consumer = new Consumer();
    producer = new Producer();
    url = ExternalInterface.call("window.location.href.toString");
    isSecure = URLUtil.isHttpsURL(url);
    var channelSet:ChannelSet = null;
    if(isSecure)
         channelSet = new ChannelSet();
         channelSet = new ChannelSet();
         var httpsChannel: SecureAMFChannel= new SecureAMFChannel("secure-amf-poll", hostUrl + "/" +         getContextRoot(applicationUrl) + "/messagebroker/amfsecurepoll" );
         httpsChannel.pollingEnabled = true;
         httpsChannel.pollingInterval = 1000;
         channelSet.addChannel(httpsChannel);
    consumer.channelSet = channelSet;
    producer.channelSet = channelSet;
    consumer.destination = "myDestination"
    producer.destination = "myDestination";
    consumer.addEventListener(MessageEvent.MESSAGE, messageHandler);
    consumer.addEventListener(MessageFaultEvent.FAULT, faultHandler);
    consumer.subscribe();
    in messaging-config.xml I've the following entries;
    <adapters>
            <adapter-definition id="ReportExecutionStatusAdapter" class="com.xyz.parameterservice.adapter.impl.FlexMessagingAdapter"/>
    </adapters>
    <destination id="myDestination">
    <adapter ref="ReportExecutionStatusAdapter"/>
    <properties>
    <server>
    <message-time-to-live>0</message-time-to-live>
               </server>
           </properties>
    <channels>
                <channel ref="secure-amf-poll"/>
                <channel ref="my-amf-poll"/>           
    </channels>
    </destination>
    Any help is greatly appreciated.
    Thanks
    Abdul

  • BlazeDS: Having issues in secured WebSphere 6.0 environment

    I have a BlazeDS package that I verified works in Tomcat, WebSphere and over SSL.  When I deploy to our target, secured environment (WebSphere 6, Tivoli Access Manager, ...), it blows up with the following error:<br /><br />[9/11/08 17:55:17:004 GMT+00:00] 0000002f ServletWrappe E   SRVE0014E: Uncaught service() exception root cause MessageBrokerServlet: Response already committed.<br />[9/11/08 17:55:17:036 GMT+00:00] 0000002f LocalTranCoor E   WLTC0017E: Resources rolled back due to setRollbackOnly() being called.<br />[9/11/08 17:55:17:053 GMT+00:00] 0000002f WebApp        E   SRVE0026E: [Servlet Error]-[MessageBrokerServlet]: java.lang.IllegalStateException: Response already committed.<br />     at com.ibm.ws.webcontainer.webapp.WebAppDispatcherContext.sendError(WebAppDispatcherContext. java:574)<br />     at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendError(SRTServletResponse.java:868)<br />     at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendError(SRTServletResponse.java:851)<br />     at flex.messaging.MessageBrokerServlet.service(MessageBrokerServlet.java:393)<br /><br />Looking at line 393 in MessageBrokerServlet, it is trying to send an error back as follows res.sendError(HttpServletResponse.SC_FORBIDDEN);.  This is part of an else block that is called only if endpoint is null.<br /><br />Very odd as the exact same code package with the same endpoint and channel definition works in the other environments I mentioned.  The only difference is this environment is secured via SSL (which I tried locally without a problem) and Tivoli Access Manager.  Since the request is getting to the logs, it doesn't appear to be a Tivoli issue as if anything was wrong with the request, it would never get to the server.<br /><br />That leaves WebSphere?  Below are the pertinent definitions from my Java service.  Any help is greatly appreciated.<br /><br />service-config.xml<br /><br />     <channels><br />          <channel-definition id="comment-amf"<br />               class="mx.messaging.channels.SecureAMFChannel"><br />               <endpoint<br />                    url="https://<url-removed-from-post>/amvcmnt/comment-service/messag ebroker/amfsecure"<br />                    class="flex.messaging.endpoints.SecureAMFEndpoint" /><br />               <properties><br />                    <polling-enabled>false</polling-enabled><br />                <!--HTTPS requests on some browsers do not work when pragma "no-cache" are set--><br />                <add-no-cache-headers>false</add-no-cache-headers><br />                <!-- Optional. Use this to limit the client channel's connect attempt<br />                     to the specified time interval.<br />                <connect-timeout-seconds>5</connect-timeout-seconds><br />                -->           <br />                <!--  removes headers from request if true --><br />                    <serialization><br />                         <enable-small-messages>false</enable-small-messages><br />                    </serialization><br />               </properties><br />          </channel-definition>     <br />     </channels><br /><br />remote-config.xml<br /><br />     <adapters><br />          <adapter-definition id="java-object"<br />     class="flex.messaging.services.remoting.adapters.JavaAdapter"<br />               default="true" /><br />     </adapters><br />     <default-channels><br />          <channel ref="comment-amf" /><br />     </default-channels><br />     <destination id="CommentService"><br />          <properties><br />               <factory>spring</factory><br />               <source>commentService</source>          <br />          </properties><br />     </destination><br />     <br />     <destination id="SecuredCommentService"><br />          <properties><br />               <factory>spring</factory><br />               <source>securedCommentService</source>          <br />          </properties><br />     </destination><br />     <destination id="EntitlementService"><br />          <properties><br />               <factory>spring</factory><br />               <source>entitlementService</source>          <br />          </properties><br />     </destination>

    Hi,
    I am facing exactly same issue. my application works fine on local and dev. however, when i deploy it on QA where TAM and clustering is in picture it throws connection failed error. Can you please help me on how to solve this issue.
    Regards,
    Sachin Patil.
    [email protected]

  • [svn:bz-trunk] 20753: * Fixed non UTF8 compliant char in EndpointPushNotifier.java

    Revision: 20753
    Revision: 20753
    Author:   [email protected]
    Date:     2011-03-10 02:40:52 -0800 (Thu, 10 Mar 2011)
    Log Message:
    Fixed non UTF8 compliant char in EndpointPushNotifier.java
    Added tomcat7 support to the maven build of blazeds opt (to support security/Tomcat7Valve.java)
    tested the build with maven3
    Modified Paths:
        blazeds/trunk/modules/core/src/flex/messaging/client/EndpointPushNotifier.java
        blazeds/trunk/modules/opt/pom.xml
        blazeds/trunk/modules/opt/poms/tomcat4/pom.xml
        blazeds/trunk/modules/opt/poms/tomcat6/pom.xml
        blazeds/trunk/modules/pom.xml
    Added Paths:
        blazeds/trunk/modules/opt/poms/tomcat7/
        blazeds/trunk/modules/opt/poms/tomcat7/pom.xml
    Property Changed:
        blazeds/trunk/modules/
        blazeds/trunk/modules/common/src/
        blazeds/trunk/modules/core/src/
        blazeds/trunk/modules/remoting/src/

  • Blazeds security

    So I have a problem that has been bothering me for a few weeks now. My backstory is a Flex front end that connects to a java backend located on the same server.  It is running on a tomcat server.  When you are inside the firewall everything runs fine in firefox but crashes in IE.  When outside the firewall you can reach the swf but get back a very long server 500 error.  This is my remote object:
    <mx:RemoteObject id="ldapConnect" destination="ldapService" showBusyCursor="true"
            endpoint="https://servername/blazeds/messagebroker/amf">
            <mx:method name="getAllUsersXML" result="getAllUsers(event)" />
            <mx:method name="clearCache"/>
        </mx:RemoteObject>
    this is part of my services-config.xml file
    <!-- Servlet Based endpoints -->
            <channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
                <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
                <properties>
                    <polling-enabled>false</polling-enabled>
                </properties>
            </channel-definition>
            <channel-definition id="my-polling-amf" class="mx.messaging.channels.AMFChannel">
                <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amfpolling" class="flex.messaging.endpoints.AMFEndpoint"/>
                <properties>
                    <polling-enabled>true</polling-enabled>
                    <polling-interval-seconds>8</polling-interval-seconds>
                </properties>
            </channel-definition>
            <channel-definition id="my-http" class="mx.messaging.channels.HTTPChannel">
                <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/http" class="flex.messaging.endpoints.HTTPEndpoint"/>
            </channel-definition>
            <!-- Secure Servlet-based endpoints -->
            <channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
                <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure" class="flex.messaging.endpoints.AMFEndpoint"/>
                <properties>
                    <!--HTTPS requests on some browsers do not work when pragma "no-cache" are set-->
                    <add-no-cache-headers>false</add-no-cache-headers>
                </properties>
            </channel-definition>
            <channel-definition id="my-secure-http" class="mx.messaging.channels.SecureHTTPChannel">
                <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure" class="flex.messaging.endpoints.SecureHTTPEndpoint"/>
                <properties>
                    <!--HTTPS requests on some browsers do not work when pragma "no-cache" are set-->
                    <add-no-cache-headers>false</add-no-cache-headers>
                </properties>
            </channel-definition>

    Hi kloysen.  It looks like you are simply referring to the wrong endpoint.  You are using https, but the rest of the url is to the non-secure (i.e. http) endpoint.  You should probably add 'secure' to the url to match your secure config, or change https to http.  See if that helps.
    <mx:RemoteObject id="ldapConnect" destination="ldapService" showBusyCursor="true"
            endpoint="https://servername/blazeds/messagebroker/amfsecure">
            <mx:method name="getAllUsersXML" result="getAllUsers(event)" />
            <mx:method name="clearCache"/>
        </mx:RemoteObject>

  • BlazeDS/Security/Spring/NonBlazeDS/NonSpring/Confusion Oh My

    I'm new to Flex (coming over from the pure JEE world.) One of the first things that is needed for any application is security authentication/authorization. I've been extremely disappointed, though, in the lack of good examples with best practices on how to handle this, or if there is a book that covers it well let me know and I'll purchase it.
    I'm working with BlazeDS at the moment (but not opposed to scrapping it.)
    I have managed to finally get a security setup using blazeds-spring integration working, but their forum is a ghost town so it makes me think that there aren't many people using it. The docs are also extremely vague. Had it not been for some stuff that I was able to pull from these two tutorials by the same author http://www.adobe.com/devnet/flex/articles/flex_security.html#ach-setscr  http://www.gridshore.nl/2009/05/24/integrate-flex-security-in-mate-using-the-spring-blazed s-integration-project/ I would have been completely lost. Even though it's 'mostly' working, so much is unknown to me, and because the reference doc http://static.springsource.org/spring-flex/docs/1.0.x/reference/html/index.html is so short it doesn't cover a lot of what is going on.
    I'm not even 100% certain I want to use Spring though (It seems to actually black-box too much and in some ways overcomplicate things with a lot of configuration), yet I want my application be portable across containers. Where are the examples on the best way to set things up? The blazeds reference doc chapter seems to gloss over a lot, and only confuses me a bit more. I'd like to see some real examples.
    As an example of some things that I'd like to see:
    1) When not using Spring security, where is a concrete implementation of handling authentication and authorization (with/without blazeDS - I just want a good best practice example of how things are handled)?
    2) How are people dealing with session time outs? (user clicking around in application and then they happen to make a server call but their session is gone. Do you simply poll every few minutes to keep the session alive?)
    3) Are people putting up a filter up before the blazeDS filter to check the user's session is valid? If the session isn't valid and you've set up a filter, what happens on the flex side of things if the filter finds an invalid session? It can only redirect for forward so how does it trigger the client flex app that it needs to invalidate its internal storage of an authenticated user and hence needs to redisplay the login page. I know how to set things up in a traditional java web app, but I'm a bit stumped here... I only have one main "FooBar.swf" file, so when the sesison filter realizes the user's session timed out where do I "go" - can I somehow just redirect to the same main page "FooBar.swf" and somehow Flex can be aware that "Hey ok some event happened so I need to invalidate my flex user and present the login page (login component)"
    Thanks for any suggestions/help on what to look at for best practices.

    Hi,
    Did you got any ideas on this one? As a newcomer to Flex/BlazeDS I'd like hear those?
    I'll add my thoughts to the discussion you started.
    2) How are people dealing with session time outs? (user clicking around
    in application and then they happen to make a server call but their
    session is gone. Do you simply poll every few minutes to keep the
    session alive?)
    I check the session in a filter for each request. If there's no valid session, the filter sends a response message to flex app which shows it as a Alert message.I'm not (yet) using blaze, but I don't see why it wouldn't work.
    If you want, you can configure the session timeout in the web.xml of your web app, so no need to poll. It would be nice to get asynchronous event from the server side when the session times out. This requires to use the pub/sub method of blaze or java messaging on a servlet.
    The web.xml of the blazeDS samples has the following lines
    <!-- Http Flex Session attribute and binding listener support -->
        <listener>
            <listener-class>flex.messaging.HttpFlexSession</listener-class>
        </listener>
    To me this indicates that you can define a listener for the session somehow. It would be nice to know more about this.
    3) Are people putting up a filter up before the blazeDS filter to check
    the user's session is valid? If the session isn't valid and you've set
    up a filter, what happens on the flex side of things if the filter
    finds an invalid session? It can only redirect for forward so how does
    it trigger the client flex app that it needs to invalidate its internal
    storage of an authenticated user and hence needs to redisplay the login
    page. I know how to set things up in a traditional java web app, but
    I'm a bit stumped here... I only have one main "FooBar.swf" file, so
    when the sesison filter realizes the user's session timed out where do
    I "go" - can I somehow just redirect to the same main page "FooBar.swf"
    and somehow Flex can be aware that "Hey ok some event happened so I
    need to invalidate my flex user and present the login page (login
    component)"
    Why not just have different swfs? When the session is not valid, redirect to login.html (a wrapper for login component).
    If I have understood correctly, Flex uses HTTP GET method to communicate with the browser. So it might be possible to send parameters to the app after the filter. Also, using java script and external interface might be helpful here.

  • BlazeDS security with Jetty?

    Hello everyone, I have BlazeDS 3.2 set up on Jetty 7.0.1. I'm looking to secure my channel for producers. Has anyone done this with Jetty? Does it use the same methodology as Tomcat?
    I managed to get security applied for producers on a channel, but it would pull up a browser security authentication dialog box when the Flex app attempts to send a message with the producer. When I try to set up the Flex client to transmit the credentials, the send fails.
    Has anyone gotten the security working with Jetty so that their app itself can transmit the credentials?
    Thanks,
    josh

    Try changing the network name.
    Often when you enable encryption or change the encryption type without changing the network name the Mac gets confused when automatically trying to connect. Apparently there is some remnants of the old setting lingering causing confusion.

  • Blazeds + Spring security: fetch data based on current user

    Hi,
    I'm currently learning flex by trying to build an application with
    flex, blazeds and Spring. My application lets users log on using
    spring security (which I will probably combine with
    AcegiLogonCommand). I would like my assemblers to return different
    data based on which user is currently logged on (for instance to show
    that specific user's to-do list). To do this, I added a userId
    property to my spring security principals (by subclassing
    org.springframework.security.userdetails.User)
    and added user_id columns to user-specific data in the database. Now
    I would like to know how I can get the currently logged on user in my
    assembler so I can use its userId to fetch the user's data.
    Is the assembler the right place to decide which data to send to my
    flex application? If so, can anyone tell me how to determine which
    user is currently logged on in my assembler? If not, what would be the
    recommended way of dealing with user-specific data in my database in
    combination with blazeds?
    The only examples I have been able to find on the Internet so far only
    use different roles to determine what a user is or is not allowed to
    do, I have yet to find any examples where users store and retrieve
    user-specific data.
    Kind regards,
    Jeroen

    Hi,
    There is a field “Target Audience” in list whenever “Target Audience” is enable in “List Settings”, it accepts the name of a SharePoint group.
    For your requirement, you will need to get the name of the group which the current user belongs to. Then perform a query in a specific list to get all the items that
    contains the specific value in “Target Audience” field.
    Here is a code snippet about how to set Target Audience for an item, there are code lines about
    how to get the value of a “Target Audience” field:
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/a3ac41d8-42e9-4ec7-999f-036c4b06d3e2/programatically-set-target-audience-in-list-item
    A method about checking whether the current user is a member of the specified group:
    http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.iscurrentusermemberofgroup.aspx
    Best regards,
    Patrick
    Patrick Liang
    TechNet Community Support

  • BlazeDS Secure-amf (https) still uses amf (http)

    Hello,<br /><br />BlazeDS works perfect, but when i bring my services-config, proxy-config and remoting-config to Secure then I get the following error:<br /><br />500 Internal Server Error. BlazeDS is stil trying to connect to: http://<servername>:<port>/blazeds/messagebroker/amf<br /><br />But i removed every amf-channel using amf! Why is BlazeDS still trying to connect on the amf channel?? (HTTP).<br /><br />My channel definitions are:<br /><br />-- services-config.xml --<br /><channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel"><br />            <endpoint url="https://<servername>:<portssl>/blazeds/messagebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint"/><br />            <properties><br />                <add-no-cache-headers>false</add-no-cache-headers><br />            </properties><br />        </channel-definition><br /><br />-- remoting-config.xml --<br /><default-channels><br />       <channel ref="my-secure-amf"></channel><br /></default-channels>

    I have already found the problem. When you want to use amf-secure instead of amf beware that you disable all amf configurations. Then blazeds will try to connect with http instead off https. This wil give overhead.

  • [svn:bz-trunk] 5137: Fix failing security tests on BlazeDS/ trunk by using a remote object to invalidate the FlexSession at the end of each test method which should cause each test method to run with a new /clean session.

    Revision: 5137
    Author: [email protected]
    Date: 2009-03-02 10:28:59 -0800 (Mon, 02 Mar 2009)
    Log Message:
    Fix failing security tests on BlazeDS/trunk by using a remote object to invalidate the FlexSession at the end of each test method which should cause each test method to run with a new/clean session. It looks like some test methods were leaving some things in a bad state which was causing the next test that ran to fail. These may be legitimate bugs/issues so we should investigate further to see what sequence of events gets things into a bad state but for these tests we want all of the test methods to run in isolation.
    Modified Paths:
    blazeds/trunk/qa/apps/qa-manual/WEB-INF/flex/services-config.mods.xml
    blazeds/trunk/qa/apps/qa-regress/WEB-INF/flex/remoting-config.mods.xml
    blazeds/trunk/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/security/stream ing-amf/JMSAuthSendSubscribeConstraintTest.mxml
    blazeds/trunk/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/security/stream ing-amf/MessagingAuthProSendTest.mxml
    blazeds/trunk/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/security/stream ing-http/JMSAuthSendSubscribeConstraintTest.mxml
    blazeds/trunk/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/security/stream ing-http/MessagingAuthProSendTest.mxml
    Added Paths:
    blazeds/trunk/qa/apps/qa-regress/WEB-INF/src/qa/messaging/SessionManager.java

    In general theory, one now has the Edit button for their posts, until someone/anyone Replies to it. I've had Edit available for weeks, as opposed to the old forum's ~ 30 mins.
    That, however, is in theory. I've posted, and immediately seen something that needed editing, only to find NO Replies, yet the Edit button is no longer available, only seconds later. Still, in that same thread, I'd have the Edit button from older posts, to which there had also been no Replies even after several days/weeks. Found one that had to be over a month old, and Edit was still there.
    Do not know the why/how of this behavior. At first, I thought that maybe there WAS a Reply, that "ate" my Edit button, but had not Refreshed on my screen. Refresh still showed no Replies, just no Edit either. In those cases, I just Reply and mention the [Edit].
    Also, it seems that the buttons get very scrambled at times, and Refresh does not always clear that up. I end up clicking where I "think" the right button should be and hope for the best. Seems that when the buttons do bunch up they can appear at random around the page, often three atop one another, and maybe one way the heck out in left-field.
    While I'm on a role, it would be nice to be able to switch between Flattened and Threaded Views on the fly. Each has a use, and having to go to Options and then come back down to the thread is a very slow process. Jive is probably incapable of this, but I can dream.
    Hunt

  • [svn:bz-3.x] 5036: Bug: BLZ-347 - Secure amf polling channel not working correctly on IE in BlazeDS /3.x branch.

    Revision: 5036
    Author: [email protected]
    Date: 2009-02-23 06:24:31 -0800 (Mon, 23 Feb 2009)
    Log Message:
    Bug: BLZ-347 - Secure amf polling channel not working correctly on IE in BlazeDS/3.x branch.
    QA: Yes
    Doc: No
    Checkintests: Pass
    Details: This is BlazeDS part of the fix. For MSIE over HTTPS, we need to add additional Cache-Control headers.
    Ticket Links:
    http://bugs.adobe.com/jira/browse/BLZ-347
    Modified Paths:
    blazeds/branches/3.x/modules/core/src/java/flex/messaging/endpoints/AbstractEndpoint.java

    Revision: 5036
    Author: [email protected]
    Date: 2009-02-23 06:24:31 -0800 (Mon, 23 Feb 2009)
    Log Message:
    Bug: BLZ-347 - Secure amf polling channel not working correctly on IE in BlazeDS/3.x branch.
    QA: Yes
    Doc: No
    Checkintests: Pass
    Details: This is BlazeDS part of the fix. For MSIE over HTTPS, we need to add additional Cache-Control headers.
    Ticket Links:
    http://bugs.adobe.com/jira/browse/BLZ-347
    Modified Paths:
    blazeds/branches/3.x/modules/core/src/java/flex/messaging/endpoints/AbstractEndpoint.java

  • Problem in Blazeds with Jboss Clustering ( Mod_JK with SSL )

    Hi,
         We are running our flex application in jboss clustering environment with the help of Apache mod_jk(Apache Web server as front end with mod_ssl enabled). We are using the SecureAMFChannel as we deploy the application in SSL. We use the RemoteObject for communicating with Java.
    The Application is running fine when we have only one node of JBoss. But once we add one more node to the cluster the application throws the following exception .
    Duplicate HTTP-based FlexSession error: A request for FlexClient 'FDCA49A7-9317-4D8A-881F-9248B1136E7A' arrived over a new FlexSession 'C9C563B8266A03C2207C00796CD7DFF1', but FlexClient is already associated with  FlexSession '8A328320F5C530D55E94568996A1B552', therefore it cannot be associated with the new session.
    As I am maintaing the session in the server, I need to use the JBoss cluster for session replication. I heard that flex clustering is not needed as we have mod_jk and it will do all the stuff for us.
    I checked with simple application without any session data also then too I faced the same problem.
    After the very first login, I can see 2 session created simultaneously and destroyed. I checked the application whether it calls twice before the session is created, but it is calling only once.
    Also when application connects with server2 and if I down the server2 my flex application throws the error that the server is not found, It is not detecting the other server.But it works once I refresh the browser.
    Application Environment Details
    JBoss 6
    Blaze Ds 4.5
    Apache Web server 2.2.21
    Mod_JK   1.2.32
    Mod_SSL 2.8.31
    Thanks,
    Suresh T
    I enabled the sticky session in Mod_jk .
    It is working when the connection is not secure(http) in both apache web server and jboss web server ). But when the connection is https the above problem is happening .
    Message was edited by: suresh.thirumurugan

    Hi,
     Thanks for your info.
      It worked for me as well.
    Thanks,
    Prasad
    On 6/26/08,
    Matthieu Labour <
    [email protected]> wrote:
    A new message was posted by Matthieu Labour in
    Configuration and Getting Started Discussion --
      Problem with configuring BlazeDS with JBOSS
    You might want to download the following tutorial
    http://sebastien-arbogast.com/2008/04/10/flex-spring-and-blazeds-the-full-stack/
    it works on jboss
    Best
    Matt
    View/reply at
    Problem with configuring BlazeDS with JBOSS
    Replies by email are OK.
    Use the
    unsubscribe form to cancel your email subscription.

  • Obtaining FlexClient object in a filter

    Hi there,
    we have a special login routine which runs in a servlet filter above the blazeds Servlet. RPC calls are made via Remote Objects. We would like to switch to per client authentication but in the filter we do not have access to the client id of the Flex client that performed the request. Does anyone know how we can access the id of the client in a filter - that is before the amf message is processed by blazeds?
    Any hint or help is very much appreciated.
    Regards
    Leo

    Hi Leo. I think that FlexContext.getFlexClient().getId() in the BlazeDS Java API will give you the id of the FlexClient but that's assuming the FlexClient has already been created.
    The FlexClient gets created on the server. I believe the Flex client sends an initial ping request to the server with a "nil" FlexClient id and then the server creates a new FlexClient and returns the id back to the client.
    When the Flex client makes subsequent requests to the server, for example to call a remoting destination, it sends this FlexClient id.
    Now, I think that BlazeDS does authentication at the destination level so that initial ping request should go through unchallenged but if you have your own special login routine and you are not letting this initial ping request go through you might run into problems.
    I don't think there will be any way to get the FlexClient id if the FlexClient hasn't been created but if it has been created I think you should be able to use the code I mentioned above.
    Hope that helps.
    -Alex

  • Oracle Coherence*Web and BlazeDS: Multiple FlexSessions created for the same HttpSession

    Hi all,
    I have searched this forum and found a lot of good information from Alex Glosband and others about the infamous "Detected duplicate HTTP - based FlexSessions, generally due to the remote host disabling session cookies. Session coolkies must be enable to manage the client connection correctly." message.
    It seems, however, none of the cases are identical to ours. This is ours:
    - Resin 3.1.9
    - Oracle Coherence 3.7.1 with Coherence*Web (session replication)
    With this setup we get the "Detected duplicate HTTP..." message on the first attempt to use BlazeDS and on every subsequent call.  The same client and server code works fine in a local sessions setup.  With Coherence 3.3 (currently our production environment) it seems to occur less frequently, but still as frequent as it is a major issue for us.  It fails even with a single node using in-process distributed caching in our test setup (as well as with multi node out of process caching in our staging environment, for Coherence knowledgeable the resin app server runs with tangosol.coherence.session.localstorage=true in the first case and false in the second).
    Both the listener and message broker are mapped as "Coherence aware" in web.xml[1] so that they should use clustered sessions.
    We have been digging a bit and we found out that if we commented out lines 427 and 434 of flex.messaging.endpoints.BaseHTTPEndpoint from version 4.0.0.14931 it seems to mask the bug.  We added some logging in the setupFlexClient method and it seems that we get more or less a new FlexSession for each and every call - but they have the same cookie and thus underlying HttpSession. I.e. the list returned from flexClient.getFlexSessions() keeps growing. Thus we are not so keen on going to production with that memory leak and the above mentioned ugly hack of commenting out the detection of duplicates.
    We use request scope for the remote object, but could in theory use any scope as we do not really have any state on the object itself, it is all HttpSession state and return values that are key (logon is performed prior to doing the first blaze call, in pure forms and ajax, and it is not a timing issue in that regard we are seeing).
    Hope someone can shed some light on what can be happening. Is there any "reference testing"[2] or something when the FlexSessions are created that makes them being created as new? Where are they created?  We do not know the inner workings of the BlazeDS source, we just watched the call trace of the unwanted invalidation and found that to be line 427 of flex.messaging.endpoints.BaseHTTPEndpoint.
    Can we disable FlexSessions?  Since the flex and plain html parts of the app share the sessions, we always use FlexContext.getHttpRequest().getSession() anyway, never storing any state directly in the FlexSession or on the remote object. Or maybe there is a config option to help us with this detection (or creation) of multiple FlexSessions?
    Cheers and TIA,
    -S-
    [1] - For instance, this i the message broker servlet def:
    <servlet>
    <servlet-name>MessageBrokerServlet</servlet-name>
      <display-name>MessageBrokerServlet</display-name>
    <servlet-class>com.tangosol.coherence.servlet.api22.ServletWrapper</servlet-class>       
    <init-param>
    <param-name>coherence-servlet-class</param-name>
    <param-value>flex.messaging.MessageBrokerServlet</param-value>
    </init-param>       
    <init-param>
    <param-name>services.configuration.file</param-name>
    <param-value>/WEB-INF/flex/services-config.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
    </servlet>
    [2] - As you undertstand this is speculation based on pure air, but it could be that in Coherence there was a serialization/deserialization happening somehow that would break such a test?

    Just a quick update, it seems things are running in a stable fashion (and without visible memory leaks, just keeping the latest FlexSession) with these changes in BaseHTTPEndpoint:
         * Overrides to guard against duplicate HTTP-based sessions for the same FlexClient which will occur if the remote host has disabled session
         * cookies.
         * @see AbstractEndpoint#setupFlexClient(String)
        @Override
        public FlexClient setupFlexClient(String id) {
            log.debug("setupFlexClient start id " + id);
            FlexClient flexClient = super.setupFlexClient(id);
            // Scan for duplicate HTTP-sessions and if found, invalidate them and throw a MessageException.
            // A request attribute is used to deal with batched AMF messages that arrive in a single request by trigger multiple passes through this
            // method.
            boolean duplicateSessionDetected = (FlexContext.getHttpRequest().getAttribute(REQUEST_ATTR_DUPLICATE_SESSION_FLAG) != null);
            if (!duplicateSessionDetected) {
                List<FlexSession> sessions = flexClient.getFlexSessions();
                log.debug("Client has " + sessions.size() + " sessions.");
                int n = sessions.size();
                if (n > 1) {
                    int count = 0;
                    for (int i = 0; i < n; i++) {
                        if (sessions.get(i) instanceof HttpFlexSession)
                            count++;
                        if (count > 1) {
                            FlexContext.getHttpRequest().setAttribute(REQUEST_ATTR_DUPLICATE_SESSION_FLAG, Boolean.TRUE);
                            duplicateSessionDetected = true;
                            break;
            // If more than one was found, remote host isn't using session cookies. Kill all duplicate sessions and return an error.
            // Simplest to just re-scan the list given that it will be very short, but use an iterator for concurrent modification.
            int i = 0;
            if (duplicateSessionDetected) {
                List<FlexSession> sessions = flexClient.getFlexSessions();
                log.debug("Detected sessions from client: " + sessions);
                for (FlexSession session : sessions) {
                    if (session instanceof HttpFlexSession && i < sessions.size()) {
    //                    log.debug("----> sessionId: " + session.getId());
    //                    Enumeration e1 = session.getAttributeNames();
    //                    while (e1.hasMoreElements()) {
    //                        Object key = e1.nextElement();
    //                        log.debug("--------->" + key + "--------->" + session.getAttribute((String) key));
    //                    session.invalidate();
                        flexClient.sessionDestroyed(session);
                    i++;
                // Return an error to the client.
    //            DuplicateSessionException e = new DuplicateSessionException();
    //            e.setMessage(ERR_MSG_DUPLICATE_SESSIONS_DETECTED);
    //            throw e;
            return flexClient;
    It is not exactly beautiful (to say the least), but if it does the trick I might just be pragmatic enough to go with it... NB: I am of course not proposing this as a patch to this file or anything, it is just an ugly hack for our specific case, but maybe the information can help the BlazeDS team find the root cause making it incompatible with Coherence*Web.
    Will give it a test run on our staging servers.

  • Security/session questions

    Hi,
    I have some security/session questions for you guys.
    My application uses flex, blazeds and spring. I use RemoteObjects to initiate calls from flex to java. The application consists of a login screen and 'other screens' available only to authenticated users after login. When the user logs in the server stores user credentials on the FlexContext (FlexContext.getFlexSession().setAttribute). So if the server timeout is reached and the user presses 'refresh' the user is thrown out and the login screen appears.
    Question 1: How can I check if the timeout is reached when the user makes a call to the server, without checking manually against the FlexContext. Are there any config parameters to set?
    Question 2: Is it necesssary to check against the user credentials in the session for every flex-to-server call? (I guess someone can omit the login screen and do a manual call)
    Question 3: If the answer to question 2 is yes, how can I check against the session credentials? The only way I can think of is calling a method which checks the session attribute manually, but then I have to remember to add this method call to each of the methods called from flex through Blazeds. Is it, for example, possible to call the user-logged-in method before the method given in the RemoteObject is called? (If not authenticated, do not run method).
    Hope someone got the time to help me out.

    I appreciate your answer, but as you yourself write, I think there must be a blazeDS way. But as nobody with extensive BlazeDS knowledge answers this post, I probably have to google this topic even more.
    Following are the main changes in my application: (Introducing spring security)
    Everything seems to be working as it should. But as already stated, I'm a newbie. So if anybody see something suspicious, let me know.
    The main problem I had implementing Spring Security was something that should be easy, but somehow it was not: the loading of the context files. Before introducing the spring security I only had one application-context file, and this was loaded by the DispatcherServlet. When introducing security I tried to add this to the same file. It did not work. Then I tried splitting up the files, and loading both using DispatcherServlet. It did not work. Then I tried loading both using ContextLoaderListener. It did not work. Finally I found the solution. Flex settings must be loaded by the DispatcherServlet, and spring security settings must be loaded by ContextLoaderListener. This work. I don't know if this is the only solution.
    On the server:
    web-xml:
    <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/config/web-application-config.xml
                /WEB-INF/config/web-application-security.xml
            </param-value>
        </context-param>
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
        <filter-mapping>
          <filter-name>springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
        <servlet>
            <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <init-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>/WEB-INF/config/flex-application-config.xml</param-value>
            </init-param>
            <load-on-startup>1</load-on-startup>
        </servlet>
    flex-application-context:
    <flex:message-broker>
            <flex:secured/>
        </flex:message-broker>
    web-application-context:
    I had to implement my own authentication mechanism. Had to compare the username/password against an object attribute. So this bean is not mandatory, but I think you have to write down username/password/role in flex-application-context if not provided.
    <bean id="customAuthenticationProvider" class="packagename.CustomAuthenticationProvider">
            <security:custom-authentication-provider/>  
    </bean>
    web-application-security:
    <http entry-point-ref="preAuthenticatedEntryPoint" />
        <beans:bean id="preAuthenticatedEntryPoint"
            class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint " />
        <!-- Securing the service layer -->
        <global-method-security>
            <protect-pointcut expression="execution(*package.ServiceImpl.*(..))" access="ROLE_USER"/>
        </global-method-security>
    On the client:
    private function login():void {
        var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
        var token:AsyncToken;
        token = cs.login(username, password);
      // Add result and fault handlers.
      token.addResponder(new AsyncResponder(loginResultHandler, loginFaultHandler));
    private function logout():void {
        var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
        var token:AsyncToken = cs.logout();
      // Add result and fault handlers.
      token.addResponder(new AsyncResponder(logoutResultHandler, logoutResultHandler));

Maybe you are looking for