BlazeDS/Security/Spring/NonBlazeDS/NonSpring/Confusion Oh My

I'm new to Flex (coming over from the pure JEE world.) One of the first things that is needed for any application is security authentication/authorization. I've been extremely disappointed, though, in the lack of good examples with best practices on how to handle this, or if there is a book that covers it well let me know and I'll purchase it.
I'm working with BlazeDS at the moment (but not opposed to scrapping it.)
I have managed to finally get a security setup using blazeds-spring integration working, but their forum is a ghost town so it makes me think that there aren't many people using it. The docs are also extremely vague. Had it not been for some stuff that I was able to pull from these two tutorials by the same author http://www.adobe.com/devnet/flex/articles/flex_security.html#ach-setscr  http://www.gridshore.nl/2009/05/24/integrate-flex-security-in-mate-using-the-spring-blazed s-integration-project/ I would have been completely lost. Even though it's 'mostly' working, so much is unknown to me, and because the reference doc http://static.springsource.org/spring-flex/docs/1.0.x/reference/html/index.html is so short it doesn't cover a lot of what is going on.
I'm not even 100% certain I want to use Spring though (It seems to actually black-box too much and in some ways overcomplicate things with a lot of configuration), yet I want my application be portable across containers. Where are the examples on the best way to set things up? The blazeds reference doc chapter seems to gloss over a lot, and only confuses me a bit more. I'd like to see some real examples.
As an example of some things that I'd like to see:
1) When not using Spring security, where is a concrete implementation of handling authentication and authorization (with/without blazeDS - I just want a good best practice example of how things are handled)?
2) How are people dealing with session time outs? (user clicking around in application and then they happen to make a server call but their session is gone. Do you simply poll every few minutes to keep the session alive?)
3) Are people putting up a filter up before the blazeDS filter to check the user's session is valid? If the session isn't valid and you've set up a filter, what happens on the flex side of things if the filter finds an invalid session? It can only redirect for forward so how does it trigger the client flex app that it needs to invalidate its internal storage of an authenticated user and hence needs to redisplay the login page. I know how to set things up in a traditional java web app, but I'm a bit stumped here... I only have one main "FooBar.swf" file, so when the sesison filter realizes the user's session timed out where do I "go" - can I somehow just redirect to the same main page "FooBar.swf" and somehow Flex can be aware that "Hey ok some event happened so I need to invalidate my flex user and present the login page (login component)"
Thanks for any suggestions/help on what to look at for best practices.

Hi,
Did you got any ideas on this one? As a newcomer to Flex/BlazeDS I'd like hear those?
I'll add my thoughts to the discussion you started.
2) How are people dealing with session time outs? (user clicking around
in application and then they happen to make a server call but their
session is gone. Do you simply poll every few minutes to keep the
session alive?)
I check the session in a filter for each request. If there's no valid session, the filter sends a response message to flex app which shows it as a Alert message.I'm not (yet) using blaze, but I don't see why it wouldn't work.
If you want, you can configure the session timeout in the web.xml of your web app, so no need to poll. It would be nice to get asynchronous event from the server side when the session times out. This requires to use the pub/sub method of blaze or java messaging on a servlet.
The web.xml of the blazeDS samples has the following lines
<!-- Http Flex Session attribute and binding listener support -->
    <listener>
        <listener-class>flex.messaging.HttpFlexSession</listener-class>
    </listener>
To me this indicates that you can define a listener for the session somehow. It would be nice to know more about this.
3) Are people putting up a filter up before the blazeDS filter to check
the user's session is valid? If the session isn't valid and you've set
up a filter, what happens on the flex side of things if the filter
finds an invalid session? It can only redirect for forward so how does
it trigger the client flex app that it needs to invalidate its internal
storage of an authenticated user and hence needs to redisplay the login
page. I know how to set things up in a traditional java web app, but
I'm a bit stumped here... I only have one main "FooBar.swf" file, so
when the sesison filter realizes the user's session timed out where do
I "go" - can I somehow just redirect to the same main page "FooBar.swf"
and somehow Flex can be aware that "Hey ok some event happened so I
need to invalidate my flex user and present the login page (login
component)"
Why not just have different swfs? When the session is not valid, redirect to login.html (a wrapper for login component).
If I have understood correctly, Flex uses HTTP GET method to communicate with the browser. So it might be possible to send parameters to the app after the filter. Also, using java script and external interface might be helpful here.

Similar Messages

  • Researching to use Blazeds with spring. I can use blazeds with flex builder 3.

    I would like to know, If i can use balzeds 4 with flex builder 3.
    I have all my applications on flex builder 3 with web services.
    Trying to convert to blazeds with spring.

    Yes, it is very much possible. I have done the integration, please check the steps in my post.
    http://sixtyfourarts.blogspot.com/2009/05/gae-integration-with-blazeds-in-eclipse.html

  • BlazeDS security with Jetty?

    Hello everyone, I have BlazeDS 3.2 set up on Jetty 7.0.1. I'm looking to secure my channel for producers. Has anyone done this with Jetty? Does it use the same methodology as Tomcat?
    I managed to get security applied for producers on a channel, but it would pull up a browser security authentication dialog box when the Flex app attempts to send a message with the producer. When I try to set up the Flex client to transmit the credentials, the send fails.
    Has anyone gotten the security working with Jetty so that their app itself can transmit the credentials?
    Thanks,
    josh

    Try changing the network name.
    Often when you enable encryption or change the encryption type without changing the network name the Mac gets confused when automatically trying to connect. Apparently there is some remnants of the old setting lingering causing confusion.

  • Blazeds security

    So I have a problem that has been bothering me for a few weeks now. My backstory is a Flex front end that connects to a java backend located on the same server.  It is running on a tomcat server.  When you are inside the firewall everything runs fine in firefox but crashes in IE.  When outside the firewall you can reach the swf but get back a very long server 500 error.  This is my remote object:
    <mx:RemoteObject id="ldapConnect" destination="ldapService" showBusyCursor="true"
            endpoint="https://servername/blazeds/messagebroker/amf">
            <mx:method name="getAllUsersXML" result="getAllUsers(event)" />
            <mx:method name="clearCache"/>
        </mx:RemoteObject>
    this is part of my services-config.xml file
    <!-- Servlet Based endpoints -->
            <channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
                <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
                <properties>
                    <polling-enabled>false</polling-enabled>
                </properties>
            </channel-definition>
            <channel-definition id="my-polling-amf" class="mx.messaging.channels.AMFChannel">
                <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amfpolling" class="flex.messaging.endpoints.AMFEndpoint"/>
                <properties>
                    <polling-enabled>true</polling-enabled>
                    <polling-interval-seconds>8</polling-interval-seconds>
                </properties>
            </channel-definition>
            <channel-definition id="my-http" class="mx.messaging.channels.HTTPChannel">
                <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/http" class="flex.messaging.endpoints.HTTPEndpoint"/>
            </channel-definition>
            <!-- Secure Servlet-based endpoints -->
            <channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
                <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure" class="flex.messaging.endpoints.AMFEndpoint"/>
                <properties>
                    <!--HTTPS requests on some browsers do not work when pragma "no-cache" are set-->
                    <add-no-cache-headers>false</add-no-cache-headers>
                </properties>
            </channel-definition>
            <channel-definition id="my-secure-http" class="mx.messaging.channels.SecureHTTPChannel">
                <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure" class="flex.messaging.endpoints.SecureHTTPEndpoint"/>
                <properties>
                    <!--HTTPS requests on some browsers do not work when pragma "no-cache" are set-->
                    <add-no-cache-headers>false</add-no-cache-headers>
                </properties>
            </channel-definition>

    Hi kloysen.  It looks like you are simply referring to the wrong endpoint.  You are using https, but the rest of the url is to the non-secure (i.e. http) endpoint.  You should probably add 'secure' to the url to match your secure config, or change https to http.  See if that helps.
    <mx:RemoteObject id="ldapConnect" destination="ldapService" showBusyCursor="true"
            endpoint="https://servername/blazeds/messagebroker/amfsecure">
            <mx:method name="getAllUsersXML" result="getAllUsers(event)" />
            <mx:method name="clearCache"/>
        </mx:RemoteObject>

  • BlazeDS Secure-amf (https) still uses amf (http)

    Hello,<br /><br />BlazeDS works perfect, but when i bring my services-config, proxy-config and remoting-config to Secure then I get the following error:<br /><br />500 Internal Server Error. BlazeDS is stil trying to connect to: http://<servername>:<port>/blazeds/messagebroker/amf<br /><br />But i removed every amf-channel using amf! Why is BlazeDS still trying to connect on the amf channel?? (HTTP).<br /><br />My channel definitions are:<br /><br />-- services-config.xml --<br /><channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel"><br />            <endpoint url="https://<servername>:<portssl>/blazeds/messagebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint"/><br />            <properties><br />                <add-no-cache-headers>false</add-no-cache-headers><br />            </properties><br />        </channel-definition><br /><br />-- remoting-config.xml --<br /><default-channels><br />       <channel ref="my-secure-amf"></channel><br /></default-channels>

    I have already found the problem. When you want to use amf-secure instead of amf beware that you disable all amf configurations. Then blazeds will try to connect with http instead off https. This wil give overhead.

  • Need help with Flex, BlazeDS and Spring

    I have a configured Flex-Blaze-Spring application. I can call
    a remote method on a Spring bean and pipe its results, (list of
    pojos), to a DataGrid and the grid displays the data. The remote
    object is defined with a <mx:> tag, defining a handler
    function that pipes the result as ArrayCollection to the DataGrid's
    data provider. I now want to perform another call to the remote
    Spring bean, but this time define the remote object in
    ActionScript, and pipe the results to a ArrayCollection variable
    that I can then iterator thru and pick off values from attributes
    of the objects in the ArrayCollection. I can't set access, my
    collection seems to be empty. Here is some code:
    public var gameRO:RemoteObject;
    public var weeksGameList:ArrayCollection;
    public function makePickGrid():void {
    pickPanel.removeAllChildren();
    var pickGrid:Grid = new Grid();
    var gRow:GridRow = new GridRow();
    var gItem:GridItem = new GridItem();
    var cb:CheckBox;
    gameRO = new RemoteObject();
    gameRO.destination = "gameService";
    gameRO.getWeeksGames.addEventListener( ResultEvent.RESULT,
    getWeeksGamesResultHandler );
    gameRO.addEventListener( FaultEvent.FAULT, handleFault );
    gameRO.getWeeksGames( curWeek.selectedItem );
    for each (var game:Object in weeksGameList) {
    cb = new CheckBox();
    cb.label = game.awayTeam;
    gItem.addChild( cb );
    gRow.addChild( gItem );
    pickGrid.addChild( gRow );
    pickPanel.addChild( pickGrid );
    public function
    getWeeksGamesResultHandler(event:ResultEvent):void {
    weeksGameList = event.result as ArrayCollection;
    What am I missing here? Thanks for any help!!
    mik

    Hello
    This is a bit of a wild guess, but looking at the code, is it possibly related to the scope of cb?
    Why not declare it inside the for loop, rather than outside it?

  • Using /usr/bin/security for password access confused by repeat account name

    One should be able to lookup a password from the CLI with
    `security find-generic-password -a test -g`
    This formulation seems to assume that you use 'test' as a unique account name.
    If you use a common login name across multiple generic password items,
    then this formulation returns the first match, not an array or
    plist of /all the matches/.
    That is:
    `security find-generic-password -a test`
    returns the first entry of 'test' as an account name, not an indexed plist, as I would expect.
    One must, it seems have to add a comment field per entry to be able to select
    the appropriate generic password
    `security find-generic-password -j server1 -g`
    I've read through the man page a few times, but haven't been able to find a
    way to iterate / specify / select based on account name that's shared across
    entries.
    Anyone else tried this out?

    Hi
    I believe you can set an open firmware password to prevent someone booting from the OS X disc:
    http://docs.info.apple.com/article.html?artnum=106482
    At the end of the day though, if someone has physical access to your computer and in particular your hard drive, they could probably access your information anyway by simply removing the hard drive and mounting it in another computer.

  • Blazeds + Spring security: fetch data based on current user

    Hi,
    I'm currently learning flex by trying to build an application with
    flex, blazeds and Spring. My application lets users log on using
    spring security (which I will probably combine with
    AcegiLogonCommand). I would like my assemblers to return different
    data based on which user is currently logged on (for instance to show
    that specific user's to-do list). To do this, I added a userId
    property to my spring security principals (by subclassing
    org.springframework.security.userdetails.User)
    and added user_id columns to user-specific data in the database. Now
    I would like to know how I can get the currently logged on user in my
    assembler so I can use its userId to fetch the user's data.
    Is the assembler the right place to decide which data to send to my
    flex application? If so, can anyone tell me how to determine which
    user is currently logged on in my assembler? If not, what would be the
    recommended way of dealing with user-specific data in my database in
    combination with blazeds?
    The only examples I have been able to find on the Internet so far only
    use different roles to determine what a user is or is not allowed to
    do, I have yet to find any examples where users store and retrieve
    user-specific data.
    Kind regards,
    Jeroen

    Hi,
    There is a field “Target Audience” in list whenever “Target Audience” is enable in “List Settings”, it accepts the name of a SharePoint group.
    For your requirement, you will need to get the name of the group which the current user belongs to. Then perform a query in a specific list to get all the items that
    contains the specific value in “Target Audience” field.
    Here is a code snippet about how to set Target Audience for an item, there are code lines about
    how to get the value of a “Target Audience” field:
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/a3ac41d8-42e9-4ec7-999f-036c4b06d3e2/programatically-set-target-audience-in-list-item
    A method about checking whether the current user is a member of the specified group:
    http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.iscurrentusermemberofgroup.aspx
    Best regards,
    Patrick
    Patrick Liang
    TechNet Community Support

  • Security/session questions

    Hi,
    I have some security/session questions for you guys.
    My application uses flex, blazeds and spring. I use RemoteObjects to initiate calls from flex to java. The application consists of a login screen and 'other screens' available only to authenticated users after login. When the user logs in the server stores user credentials on the FlexContext (FlexContext.getFlexSession().setAttribute). So if the server timeout is reached and the user presses 'refresh' the user is thrown out and the login screen appears.
    Question 1: How can I check if the timeout is reached when the user makes a call to the server, without checking manually against the FlexContext. Are there any config parameters to set?
    Question 2: Is it necesssary to check against the user credentials in the session for every flex-to-server call? (I guess someone can omit the login screen and do a manual call)
    Question 3: If the answer to question 2 is yes, how can I check against the session credentials? The only way I can think of is calling a method which checks the session attribute manually, but then I have to remember to add this method call to each of the methods called from flex through Blazeds. Is it, for example, possible to call the user-logged-in method before the method given in the RemoteObject is called? (If not authenticated, do not run method).
    Hope someone got the time to help me out.

    I appreciate your answer, but as you yourself write, I think there must be a blazeDS way. But as nobody with extensive BlazeDS knowledge answers this post, I probably have to google this topic even more.
    Following are the main changes in my application: (Introducing spring security)
    Everything seems to be working as it should. But as already stated, I'm a newbie. So if anybody see something suspicious, let me know.
    The main problem I had implementing Spring Security was something that should be easy, but somehow it was not: the loading of the context files. Before introducing the spring security I only had one application-context file, and this was loaded by the DispatcherServlet. When introducing security I tried to add this to the same file. It did not work. Then I tried splitting up the files, and loading both using DispatcherServlet. It did not work. Then I tried loading both using ContextLoaderListener. It did not work. Finally I found the solution. Flex settings must be loaded by the DispatcherServlet, and spring security settings must be loaded by ContextLoaderListener. This work. I don't know if this is the only solution.
    On the server:
    web-xml:
    <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/config/web-application-config.xml
                /WEB-INF/config/web-application-security.xml
            </param-value>
        </context-param>
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
        <filter-mapping>
          <filter-name>springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
        <servlet>
            <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <init-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>/WEB-INF/config/flex-application-config.xml</param-value>
            </init-param>
            <load-on-startup>1</load-on-startup>
        </servlet>
    flex-application-context:
    <flex:message-broker>
            <flex:secured/>
        </flex:message-broker>
    web-application-context:
    I had to implement my own authentication mechanism. Had to compare the username/password against an object attribute. So this bean is not mandatory, but I think you have to write down username/password/role in flex-application-context if not provided.
    <bean id="customAuthenticationProvider" class="packagename.CustomAuthenticationProvider">
            <security:custom-authentication-provider/>  
    </bean>
    web-application-security:
    <http entry-point-ref="preAuthenticatedEntryPoint" />
        <beans:bean id="preAuthenticatedEntryPoint"
            class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint " />
        <!-- Securing the service layer -->
        <global-method-security>
            <protect-pointcut expression="execution(*package.ServiceImpl.*(..))" access="ROLE_USER"/>
        </global-method-security>
    On the client:
    private function login():void {
        var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
        var token:AsyncToken;
        token = cs.login(username, password);
      // Add result and fault handlers.
      token.addResponder(new AsyncResponder(loginResultHandler, loginFaultHandler));
    private function logout():void {
        var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
        var token:AsyncToken = cs.logout();
      // Add result and fault handlers.
      token.addResponder(new AsyncResponder(logoutResultHandler, logoutResultHandler));

  • How to handle multiple SSO in ADF Security Framework

    Hello All,
    I have a question about ADF security with multiple SSO provider.
    What I am trying to achieve:
    Assume there are SSO provider A, B and C. Each provider will grant a different role to the ADF application (A grant Admin, B grant Business Manager, C grant Configuration Manager). Sign out from the ADF application will log all the SSO out at the same time.
    What I know:
    Each SSO will need to have information about the role it provides. I will also need to write code like the following: (modified from an old answer from Frank Nimphius before)
        try {
            IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore(); //Need to get the specific IDM store based on the SSO the user is using.
            try {
                UserManager userManager = idstore.getUserManager();
                RoleManager roleManager = idstore.getRoleManager();
                Role role = idstore.searchRole(Role.SCOPE_APPLICATION,idmRole); //Again, idmRole based on which SSO the user is using.
                    // create user
                    //TODO check for empty username and password
                    User user = userManager.getUser(SecurityContext.getUserName()); //the user may already login from another SSO.
                    if (user == null)
                        user = userManager.createUser(this.username,this.password.toCharArray());
                    roleManager.grantRole(role,user.getPrincipal());
                } catch (IMException e) {
                    // TODO
            } catch (JpsException e) {
                // TODO
            return null;
    }Also a logout code like this
          doLogout()
             if(A) logoutFromA(user);
             if(B) logoutFromB(user);
             if(C) logoutFromC(user);
          } My Question:
    Would the code above handle what I described? Also, how do I set the SecurityContext for ADF security - Or the grantRole automatically does that for me?

    Hello Sudipto,
    Yeah, I had watched that tutorial, it is pretty helpful on getting 1 SSO working with the ADF security.
    I am confused when there is multiple provider - do I setup the web gate so that "http://myapp:7777/LoginViaA" point to SSO Provider A, "http://myapp:7777/LoginViaB" point to SSO Provider B and so forth? **Note: the login/username can be different on different SSO provider.
    In that case, I will still need to set the value in SecurityContext to say "This current user login as [email protected] via SSO A and [email protected] via SSO B", or is there some other way to handle this?
    Thanks,
    Louis

  • HT5631 security questions - how to change them "for good"

    The process to change the security questions is extremely confusing. Your instructions on apple support are not complete. You suggest to click on a button to turn off a two-step verification but that button does not exist.

    Hi scorpiant,
    If you are having issues changing or resetting your Apple ID security questions, you may find the following articles helpful:
    Apple Support: Frequently asked questions about Apple ID
    http://support.apple.com/kb/ht5622
    Apple Support: Rescue email address and how to reset Apple ID security questions
    http://support.apple.com/kb/ht5312
    Regards,
    - Brenden

  • Does anyone understand Security settings for Portfolios??

    Thanks, Philip, you answered part of my question. I'm still searching for a way to keep people from printing or editing my artwork I place in the portfolio I'm building in Acrobat. Anyone's help would be greatly appreciated. I can't seem to find any specific information, at least none I can understand, on this simple problem.
    Using Adobe Acrobat Pro 9.1.3 on a Mac. Creating a portfolio of my artwork to either burn to cd or email. I want the recipient to ONLY be able to VIEW the artwork, not print or edit. I do not understand the Security settings, and I have read the section on Choosing a security method. Still confused. After going to File> Modify PDF Portfolio> Secure Portfolio..... what do I choose in all the Security settings? I'm sure some of the people viewing the portfolio will have a full version of Acrobat, and not just the reader. Please help or advise where I can find more online help for this simple problem. Thanks.
    Bgin_Agin_OK

    As for editing art work you can do the as I suggested with layer with Opacity set to 1% then Flatten That will prevent (Or should) the editing art work.
    AS for locking preventing printing and editing You can set that inTools > Security settings (then password protect).
    Note Security  is fairly easy for anyone to evercome. There are bunches of programs out on the net to do just that.
    Most Honest, Ethical, persons will abide. But there are I am afraid in today's world little of that left. So there is better than 50/50 chance your stuff will be swiped.I would not dream of doing such, except if it was one I created, I set password on, and forgot the password.
    When I was growing up, when I was about 7, I picked up a pencil in a 5&10 cent store and when my mother found it when we got out the door she marched me back in , told me to give the pencil back, and applogize. Then when I got home my bottom was smoked. I still remember my backside smarting all these years. I would no more steal anything. than I would try to kill someone. Just not in my nature.
    In todays world if a kid did similar, the parent is more likely shrug it off, or ask the kid how they got away with it , show and ask them how.
    A sad comentary on the world.

  • No traffic from Outside1 (Security level 100) attached Networks to DMZ and Viceversa

    I have an ASA5510, i configured an Outside, 1 DMZ and 2 interfaces 100 security level (Outside1 and Inside). I can ping and have fluid traffic between DMZ and Inside interface, but don't have any kind of traffic between DMZ and the Outside1. I wrote the same configuration for both 100 Security Level interfaces. Also I have connected a Cisco 892 router to Outside1. When i have attached a computer instead of 892, traffic between Outside1 and DMZ is fluid. i need to have fluid traffic between networks connected to 892
    Someone can help me? Here are the 2 configs:
    ASA5510:
    : Saved
    ASA Version 8.2(1)
    hostname ASAFCHFW
    domain-name a.b.c
    enable password 6Jfo5anznhoG00fM encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
     nameif Outside
     security-level 0
     ip address x.y.z.162 255.255.255.248
    interface Ethernet0/1
     nameif Outside1
     security-level 100
     ip address 192.168.2.1 255.255.255.0
    interface Ethernet0/2
     nameif DMZ
     security-level 10
     ip address 172.16.31.1 255.255.255.0
    interface Ethernet0/3
     nameif Inside
     security-level 100
     ip address 192.168.0.1 255.255.255.0
    interface Management0/0
     nameif management
     security-level 100
     ip address 192.168.1.1 255.255.255.0
     management-only
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
     domain-name farmaciachavez.com.bo
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq www
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq https
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000
    access-list Inside extended permit ip any any
    access-list Inside extended permit icmp any any
    access-list 100 extended permit tcp any host x.y.z.163 eq smtp
    access-list 100 extended permit udp any host x.y.z.163 eq domain
    access-list 100 extended permit tcp any host x.y.z.163 eq https
    access-list 100 extended permit tcp any host x.y.z.163 eq www
    access-list 100 extended permit tcp any host x.y.z.163 eq 3000
    access-list 100 extended permit tcp any host x.y.z.163 eq 1000
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu Outside 1500
    mtu Outside1 1500
    mtu DMZ 1500
    mtu Inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit host 192.168.0.22 Outside
    icmp permit 192.168.0.0 255.255.255.0 Outside1
    icmp permit 192.168.2.0 255.255.255.0 Outside1
    icmp permit 172.16.31.0 255.255.255.0 Outside1
    icmp permit 192.168.2.0 255.255.255.0 DMZ
    icmp permit 192.168.2.0 255.255.255.0 Inside
    icmp permit 192.168.0.0 255.255.255.0 Inside
    icmp permit 172.16.31.0 255.255.255.0 Inside
    asdm image disk0:/asdm-647.bin
    asdm history enable
    arp timeout 14400
    global (Outside) 101 interface
    nat (Outside1) 101 0.0.0.0 0.0.0.0
    nat (DMZ) 101 0.0.0.0 0.0.0.0
    nat (Inside) 101 0.0.0.0 0.0.0.0
    static (DMZ,Outside) x.y.z.163 172.16.31.0 netmask 255.255.255.255
    static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
    static (Outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
    static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    static (Inside,Outside1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    static (Outside1,Inside) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
    static (DMZ,Outside1) 172.16.31.0 172.16.31.0 netmask 255.255.255.0
    static (Outside1,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
    static (Outside1,Inside) 172.1.2.0 172.1.2.0 netmask 255.255.255.0
    static (Outside1,Inside) 172.1.3.0 172.1.3.0 netmask 255.255.255.0
    static (Outside1,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
    static (Outside1,DMZ) 172.1.1.0 172.1.1.0 netmask 255.255.255.0
    access-group dmz_in in interface DMZ
    route Outside 0.0.0.0 0.0.0.0 x.y.z.161 20
    route Outside1 172.1.1.0 255.255.255.0 192.168.2.2 1
    route Outside1 172.1.2.0 255.255.255.0 192.168.2.2 1
    route Outside1 172.1.3.0 255.255.255.0 192.168.2.2 1
    route Outside1 192.1.0.0 255.255.192.0 192.168.2.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.0.0 255.255.255.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 192.168.0.0 255.255.255.0 Inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7441424d1fcf87c3eb837b569e84aa9e
    : end
    Cisco 892:
    Current configuration : 3296 bytes
    ! Last configuration change at 01:15:13 UTC Tue Apr 29 2014 by eguerra
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname RouterHQFCH
    boot-start-marker
    boot-end-marker
    enable secret 4 
    no aaa new-model
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    crypto pki trustpoint TP-self-signed-1580540949
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1580540949
     revocation-check none
     rsakeypair TP-self-signed-1580540949
    crypto pki certificate chain TP-self-signed-1580540949
     certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
      30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
      34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
      E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
      5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
      0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
      0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
      03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
      2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
      52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
      B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
      4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
      23080B9D 9C5FD690 62C6B0C9 30C3AA
            quit
    license udi pid C892FSP-K9 sn FTX180484TB
    username servicios privilege 15 password 7 
    username eguerra privilege 15 password 7 
    interface GigabitEthernet0
     no ip address
    interface GigabitEthernet1
     switchport access vlan 2
     no ip address
    interface GigabitEthernet2
     no ip address
    interface GigabitEthernet3
     no ip address
    interface GigabitEthernet4
     no ip address
    interface GigabitEthernet5
     no ip address
    interface GigabitEthernet6
     no ip address
    interface GigabitEthernet7
     no ip address
    interface GigabitEthernet8
     ip address 172.1.1.1 255.255.255.0
     duplex auto
     speed auto
    interface GigabitEthernet9
     ip address 172.1.2.1 255.255.255.0
     duplex auto
     speed auto
    interface Vlan1
     ip address 192.168.2.2 255.255.255.0
    interface Vlan2
     ip address 192.168.100.200 255.255.255.0
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip route 172.16.31.0 255.255.255.0 192.168.2.1
    ip route 192.168.0.0 255.255.255.0 192.168.2.1
    control-plane
    line con 0
     password 7 
     login
     no modem enable
    line aux 0
    line vty 0 4
     password 7 
     login local
     transport input all
    scheduler allocate 20000 1000
    end
    Thanks in advance

    Maybe I did not understand what you are trying to accomplish. What I mentioned was to make your ACL configuration better, meaning more secure. Changing the security level just helps understand that you are not coming from a site that does not require ACLs, thus from lower to higher security interfaces you need to place ACLs, then there is a hole other world regarding NAT/PAT that involve same security interfaces that sometimes confuse customers so I also wanted to avoid that for you.
    To enforce security between interfaces you need to know what protocols and ports are being used by servers that reside behind the higher security interface so you only open what is needed then block the rest to that higher security interface.

  • Invalidate session in BlazeDS

    Hi!
    I need to integrate BlazeDS security with an external security mechanism so I have implemented custom authentication as described in http://livedocs.adobe.com/blazeds/1/blazeds_devguide/help.html?content=services_security_1 .html. Now I need to invalidate user authentication on server upon certain circunstances. When this happens, I invalidate Session contained in Request parameter of invoke method of TomcatValve. This seems to work but I get a nasty "Duplicated Http Session" in Flex client telling that cookies where removed in server. Is there any clear way to invalidate current user login from BlazeDS?
    I've also tried invalidating FlexSession but then Flex clients hangs.
    Thank you very much.
    Daniel.

    Ummm - isn't that exactly what a session timeout specifies?
    ie how long should it stick around before it "expires" and should be invalidated?
    You don't need to call session.invalidate() - it will do that all by itself.

  • Glassfish v3, BlazeDS, and authentication.

    Hi,
    I'm looking for documentation about how to configure BlazeDS security with Glassfish v3.  I've found this:
    http://anachronymous.com/2009/01/flex-blazeds-and-glassfish-part-1.html
    ...but it's for Glassfish v2.  Most of it should be the same, but some of the TomcatValve stuff has changed for Glassfish v3:
    http://blogs.sun.com/jluehe/entry/glassfish_v3_adds_support_for
    Should I be able to ignore the valve configuration and simply use TomcatLoginCommand since Glassfish v3 is supposed to support Tomcat style valves?  I tried adding the following to services-config.xml:
    <security>
        <login-command class="flex.messaging.security.TomcatLoginCommand" server="all"/>
    </security>
    ...but upon deployment I get the following error:
    javax.servlet.UnavailableException: Cannot create class of type 'flex.messaging.security.TomcatLoginCommand'.
    Can anyone point me in the right direction?
    Ryan

    I'll assume you've got Glassfish using the default 'file' realm for authentication.  If not you'll have to adapt my instructions to the realm you're using.
    1) Load the glassfish admin console.
    2) Navigate to 'Configuration -- Security -- Realms -- file'.
    3) Select 'Manage Users' near the top left.
    4) Select 'New'
    5) Add the user 'tech'.  In the 'Group List' put 'tech'.  Use any password you like.
    6) Select 'OK' to save your user.
    7) Navigate to 'Configuration -- Security'.
    8) Enable 'Default Principal To Role Mapping'.  I can't remember why I have this enabled, so feel free to research it a bit.
    9) Select 'Save' to save the changes.
    Here is a complete copy of a simple web.xml that I've used:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http://java.sun.com/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
             version="2.5">
        <display-name>ITMA Web App</display-name>
        <!-- Http Flex Session attribute and binding listener support -->
        <listener>
            <listener-class>flex.messaging.HttpFlexSession</listener-class>
        </listener>
        <!-- MessageBroker Servlet -->
        <servlet>
            <display-name>MessageBrokerServlet</display-name>
            <servlet-name>MessageBrokerServlet</servlet-name>
            <servlet-class>flex.messaging.MessageBrokerServlet</servlet-class>
            <init-param>
                <param-name>services.configuration.file</param-name>
                <param-value>/WEB-INF/flex/services-config.xml</param-value>
            </init-param>
            <load-on-startup>1</load-on-startup>
        </servlet>
        <servlet-mapping>
            <servlet-name>MessageBrokerServlet</servlet-name>
            <url-pattern>/messagebroker/*</url-pattern>
        </servlet-mapping>
        <welcome-file-list>
            <welcome-file>itma-flex-ui-blazeds.swf</welcome-file>
        </welcome-file-list>
        <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>file</realm-name>
        </login-config>
        <security-role>
            <role-name>tech</role-name>
        </security-role>
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>Flex UI</web-resource-name>
                <url-pattern>/messagebroker/*</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                <role-name>tech</role-name>
            </auth-constraint>
        </security-constraint>
    </web-app>
    Note the MessageBrokerServlet configuration, specifically the <servlet-name>.  You probably have something similar.  The <servlet-mapping> means all requests to urls like 'http://my.domain.com/contextroot/messagebroker/amf' will be processed by the MessageBrokerServlet.   The <security-constraint> configuration restricts all requests to '/messagebroker/*'.  Basically all requests to the MessageBrokerServlet will require authentication.
    All of the roles in your application need to get listed in  the <security-role> section.  Each role needs to be mapped to a 'Principal' on the Glassfish server.  I'm not positive, but I think the 'Default Principal To Role Mapping' will automatically map users defined as being of the role 'tech' to the 'tech' user (principal) or possibly the 'tech' group.  I'm a little unclear on how it works with the group list.
    The final parts are the <login-config> and <auth-constraint> sections.  The login config defines the realm to use (file in this example).  The auth-constraint section says that access to the listed resources should be restricted to users in the 'tech' role.
    The whole process is something like this:
    1) Only users in the role 'tech' can access urls that match /messagebroker/*.
    2) The role of tech is defined and mapped to a principal (or group of principals) within the file realm on the server.
    3) The 'Default Principal To Role Mapping' option in glassfish automatically maps the tech role to the tech principal (user) or group (I'm not actually sure which one).  I think you'd normall need to configure this somewhere and map the roles in your flex application to groups in your security realm.
    Try creating a configuration like the above.  Ignore the BlazeDS portion of the configuration to start with and see if you can get it working with just web.xml.  After you get that working and know you can actually authenticate to the container (Glassfish), then you can go back to trying to get the BlazeDS side of things configured / mapped.
    I hope that helps,
    Ryan

Maybe you are looking for

  • Photoshop Drag and Drop Broken

    For some reason I can't drag and drop files on Photoshop CS4. Is this a known bug? Is there a workaround?

  • I need firefox to support a 128 bit encryption for a website I need to use for work. How do I accomplish this?

    www.opm.gov/e-qip/ is a government site that I need to use to fill out a questionaire for employment. It says my web browser does not support a 128 bit encryption which it needs for the site to work properly. How do I increase the encryption bits?

  • Separate database instead of local

    I want to use completely separate database in CAF instead of local database of the SAP WAS. Can it be achieved somehow through configuration or minimal programming?

  • Move Date Picker Pop Up Location

    Hello All, What is the easiest way to move the location of the pop up window when using a Date Picker on a form page? Currently using Sand Theme it pop ups at the top of the screen in IE and Firefox. We would like it to popup right next to the item o

  • Mail view sent mail after storing

    In order not to keep every mail sent, I classify the ones I need in mailboxes. But unlike in the INBOX, they appear with MY name instead of the receiver's name, which is not convenient at all to look for at a later stage! I can't find anyway to chang