Security/session questions

Hi,
I have some security/session questions for you guys.
My application uses flex, blazeds and spring. I use RemoteObjects to initiate calls from flex to java. The application consists of a login screen and 'other screens' available only to authenticated users after login. When the user logs in the server stores user credentials on the FlexContext (FlexContext.getFlexSession().setAttribute). So if the server timeout is reached and the user presses 'refresh' the user is thrown out and the login screen appears.
Question 1: How can I check if the timeout is reached when the user makes a call to the server, without checking manually against the FlexContext. Are there any config parameters to set?
Question 2: Is it necesssary to check against the user credentials in the session for every flex-to-server call? (I guess someone can omit the login screen and do a manual call)
Question 3: If the answer to question 2 is yes, how can I check against the session credentials? The only way I can think of is calling a method which checks the session attribute manually, but then I have to remember to add this method call to each of the methods called from flex through Blazeds. Is it, for example, possible to call the user-logged-in method before the method given in the RemoteObject is called? (If not authenticated, do not run method).
Hope someone got the time to help me out.

I appreciate your answer, but as you yourself write, I think there must be a blazeDS way. But as nobody with extensive BlazeDS knowledge answers this post, I probably have to google this topic even more.
Following are the main changes in my application: (Introducing spring security)
Everything seems to be working as it should. But as already stated, I'm a newbie. So if anybody see something suspicious, let me know.
The main problem I had implementing Spring Security was something that should be easy, but somehow it was not: the loading of the context files. Before introducing the spring security I only had one application-context file, and this was loaded by the DispatcherServlet. When introducing security I tried to add this to the same file. It did not work. Then I tried splitting up the files, and loading both using DispatcherServlet. It did not work. Then I tried loading both using ContextLoaderListener. It did not work. Finally I found the solution. Flex settings must be loaded by the DispatcherServlet, and spring security settings must be loaded by ContextLoaderListener. This work. I don't know if this is the only solution.
On the server:
web-xml:
<context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/config/web-application-config.xml
            /WEB-INF/config/web-application-security.xml
        </param-value>
    </context-param>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/config/flex-application-config.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
flex-application-context:
<flex:message-broker>
        <flex:secured/>
    </flex:message-broker>
web-application-context:
I had to implement my own authentication mechanism. Had to compare the username/password against an object attribute. So this bean is not mandatory, but I think you have to write down username/password/role in flex-application-context if not provided.
<bean id="customAuthenticationProvider" class="packagename.CustomAuthenticationProvider">
        <security:custom-authentication-provider/>  
</bean>
web-application-security:
<http entry-point-ref="preAuthenticatedEntryPoint" />
    <beans:bean id="preAuthenticatedEntryPoint"
        class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint " />
    <!-- Securing the service layer -->
    <global-method-security>
        <protect-pointcut expression="execution(*package.ServiceImpl.*(..))" access="ROLE_USER"/>
    </global-method-security>
On the client:
private function login():void {
    var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
    var token:AsyncToken;
    token = cs.login(username, password);
  // Add result and fault handlers.
  token.addResponder(new AsyncResponder(loginResultHandler, loginFaultHandler));
private function logout():void {
    var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
    var token:AsyncToken = cs.logout();
  // Add result and fault handlers.
  token.addResponder(new AsyncResponder(logoutResultHandler, logoutResultHandler));

Similar Messages

  • Since I have upgrade from Firefox 3 to 4 and then 5 I know longer get the Padlock or Keylock Icon indicating the needed a secure session when logging on to sites such as my bank account, what is the problem?

    The padlock or key Icon that indicates a secure session no longer appears when I sign into a site such as my bank or any site requiring security for financial or other transaction. Since this security is no longer available in the Firefox browser, I use Internet Explorer for SECURE Browser functions.

    We had the exact same issue happen to us. No issue on Windows XP but Windows 7 mapped two home drives (F and Z). F was mapped during the login script and Z was being mapped by some unknown reason.
    We use Netapp for our storage and home drives and use a feature called CIFS Home Drive Mapping. This essentially maps a user to a folder not available through normal CIFS methods causing AD to error when setting the home drive. To get around this we use
    dsquery and dsmod to modify this attribute in the user account. This is the command we used...
    dsquery user -name %UserNameX% | dsmod user -hmdrv F -hmdir \\filer\$username$
    Notice there is no ":" after the F
    We determined the root causewas the value for the
    homeDrive attributefor the user account was set to "F" instead of "F:"
    When we updated our users to reference "F:" instead of "F" in their user, this problem was resolved.
    Use LDP or some other method to verify that the homeDrive attribute is set to "F:" (or any other letter) or you will have this issue.

  • Not able to get rid of security-related questions in runtime

    Hi,
    I am simply using NetBeans 6.0.1 and the emulator QwertyDevice and the emulator platform WTK 2.5.2 for CLDC.
    I have chosen Alias as trusted in the signing option in the project configuration page. however still I am getting security confirmation questions in runtime to access the local files for instance.
    Would anyone please advise me how to get rid of that?
    Also I have deployed the application on SonyEricsson k800i and would like to get rid of the security confirmations on that device as well. What is the guideline?
    Thank you

    Right clicking on it is not even an option, just hovering over it seems to induce a "nuclear" reset of the whole desktop and graphic card on the iMac.
    Have meanwhile found a possible solution by erasing the dock preference file in the user/library/preferences folder to reset the dock to it's default state. Will try this out through a Skype conversation with that Buddy.
    Was seen here :
    https://discussions.apple.com/message/16447109#16447109
    Thank you for stepping in. Good to know that people are still willing to help in this community.
    Greetz to the UK from France

  • Security upgrade question - Getting 6.1.6 downloaded to iphone.

    Security upgrade question - I have a 4S phone v6.01 with an upgrade to IOS 7.04 already downloaded and ready for install.  I would like to install the 6.1.6 security upgrade instead. How do I delete the ios7 in the queue or have the 6.1.1 pushed as an option to the phone?

    You can't install iOS 6.1.6 on that device and must update it to 7.0.6.
    (101120)

  • How to secure session cookie

    Iam using iPlanet 6.0SP6 in NT 4.0.
    I would like to make the session cookie JSESSIONID to be transfer only on secure connection.
    Then, I make the change to web-apps.xml as below
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
         "http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
    <vs>
    <session-cookie is-secure="true"></session-cookie>
    </vs>
    After that, I restart the iplanet web server and load the page with I.E. again. I see that the cookie is still passed with non-secure mode.
    Is there any wrong with my web-apps.xml?

    Janice,
    Thanks for your help.
    When I use the below web-apps.xml, I can make the cookie in secure session.
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
         "http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
    <vs>
    <web-app uri="/" dir="d:/java/docroot" enable="true">
    <session-manager class="com.iplanet.server.http.session.IWSSessionManager">
    <init-param>
    <param-name>maxSessions</param-name>
    <param-value>16000</param-value>
    </init-param>
    <init-param>
    <param-name>timeOut</param-name>
    <param-value>7200</param-value>
    </init-param>
    <init-param>
    <param-name>reapInterval</param-name>
    <param-value>30</param-value>
    </init-param>
    <init-param>
    <param-name>maxValueSize</param-name>
    <param-value>8192</param-value>
    </init-param>
    </session-manager>
    <session-cookie is-secure="true"/>
    </web-app>
    </vs>
    However, when I configure more on the web applicaiton with the web.xml, I check that the cookie no more secure.
    THe web.xml is
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE web-app PUBLIC
    "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
    <web-app>
    <display-name>Trade Info Exchange</display-name>
    <description>
    Trade Info Exchange
    </description>
    <!-- Define servlets that are included in the example application -->
    <servlet>
    <servlet-name>Login</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.LoginServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Login</servlet-name>
    <url-pattern>/Login</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>Fmenu</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.FmenuServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Fmenu</servlet-name>
    <url-pattern>/Fmenu</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>Fcontent</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.FcontentServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Fcontent</servlet-name>
    <url-pattern>/Fcontent</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>Express</servlet-name>
    <servlet-class>com.chase.apps.express.servlet.EXPRESS2</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Express</servlet-name>
    <url-pattern>/EXPRESS2</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>AppControl</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.AppControlServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>AppControl</servlet-name>
    <url-pattern>/AppControl</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>errorPage</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.errorPage</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>errorPage</servlet-name>
    <url-pattern>/errorPage</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>LoginFail</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.LoginFailServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>LoginFail</servlet-name>
    <url-pattern>/LoginFail</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>Logout</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.LogoutServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Logout</servlet-name>
    <url-pattern>/Logout</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>ChangePwdWarning</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdWarningServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>ChangePwdWarning</servlet-name>
    <url-pattern>/ChangePwdWarning</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>ChangePwd</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>ChangePwd</servlet-name>
    <url-pattern>/ChangePwd</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>ReLoginDialog</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.ReLoginDialog</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>ReLoginDialog</servlet-name>
    <url-pattern>/ReLoginDialog</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>TradeTrackProcessSearch</servlet-name>
    <servlet-class>chase.app.tt.servlet.ProcessSearchServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>TradeTrackProcessSearch</servlet-name>
    <url-pattern>/TradeTrackProcessSearch</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>TradeTrackSearchScreen</servlet-name>
    <servlet-class>chase.app.tt.servlet.SearchScreenServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>TradeTrackSearchScreen</servlet-name>
    <url-pattern>/TradeTrackSearchScreen</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>TradeTrackMain</servlet-name>
    <servlet-class>chase.app.tt.servlet.MainServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/LCIMPORT</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/LCEXPORT</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/COLLIMP</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/COLLEXP</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/B2BMenu</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/B2BMain</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
    <welcome-file>ctielogin.html</welcome-file>
    </welcome-file-list>
    </web-app>
    Pls advise how I can make the cookie secure for using the web.xml and web-apps.xml
    thanks
    samuel poon

  • Safari storing previous secure session data in plain text.

    I was just forwarded a link stating that Safari stores previous secure session data unencrypted in a hiodden folder. The article said this applies to OS X 10.8.5,and OS X 10.7.5 running Safari 6.0.5. Has this vulnerability been fixed in Mavericks/Safari 7.0?
    http://securityaffairs.co/wordpress/20482/hacking/safari-unsecure-data-storage.h tml

    It's not the transit that I'm asking about, but a secure local session with private info in a hidden folder. If another user gains access to this hidden folder, then private info can be disclosed (i.e., passwords, address).

  • I foreget my  security answer questions. --app store

    I foreget my  security answer questions . --app store
    I can not buy any thing without answeing this questions
    Pls help me to repair this problem

    Q - Can I change the answers to the security questions for my Apple ID?
    A - Yes. You can change the answers to the security questions provided when you originally signed up for your Apple ID. Go to My Apple ID and click Manage your account.
    http://support.apple.com/kb/he37
    Manage your Apple ID -
    https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/

  • Enable secure session cookie on Sun ONE Web Server 6.1

    How can I enable secure session cookie (JSESSIONID) on Sun ONE Web Server 6.1?.
    For 6.0 is <session-cookie is-secure="true"/> inside the <web-app> tags in web-apps.xml but I'm not able to find this setting for 6.1.

    There is a fix in 6.1sp5 that enables the session cookie to be marked as secure.
    See the release notes and search for 6262885 under Issues Resolved in 6.1sp5:
    http://docs.sun.com/app/docs/doc/819-2479/6n4p1bdea?a=view

  • Forget security answer question

    im forget the security answer question

    If you have a rescue email address (which is not the same thing as an alternate email address) set up on your account then go to https://appleid.apple.com/ and click 'Manage your Apple ID' on the right-hand side of that page and log into your account. Then click on 'Password and Security' on the left-hand side of that page and on the right-hand side you should see an option to send security question reset info to your rescue email address.
    If you don't have a rescue email address (you won't be able to add one until you can answer 2 of your questions) then you will need to contact iTunes Support / Apple to get the questions reset.
    Contacting Apple about account security : http://support.apple.com/kb/HT5699
    When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down this page to add a rescue email address for potential future use : http://support.apple.com/kb/HT5312

  • HT201413 forgot my itunes security secret questions for purchase music

    Iforgot my itunes security secret questions for to purshase music how do i get to redo it again plz

    same thing is happening to me aswell please i dont know what to do

  • HT5699 I forgot my security support question and answer, what should i do?

    I forgot my security support question and answer, what should i do

    See Kappy's great User Tips.
    See my User Tip for some help: Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities https://discussions.apple.com/docs/DOC-4551
    Rescue email address and how to reset Apple ID security questions
    http://support.apple.com/kb/HT5312
    Send Apple an email request for help at: Apple - Support - iTunes Store - Contact Us http://www.apple.com/emea/support/itunes/contact.html
    Call Apple Support in your country: Customer Service: Contacting Apple for support and service http://support.apple.com/kb/HE57
     Cheers, Tom

  • HT5312 i forgot my security my question . i need to send my security a gain .

    i forgot my security my question . i need to send my security a gain .

    Try calling your country number from http://support.apple.com/kb/HE57 and ask to speak with Account Security.

  • I am not receiving security rest question from apple

    i am not receiving security rest question from apple, i need to buy some app. please help

    Read here  >  Apple ID: All about Apple ID security questions
    If necessary
    1)  See Here > Apple ID: Contacting Apple for help with Apple ID account security
              Ask to speak with the Account Security Team...
    2)  Or Email Here  >  Apple  Support  iTunes Store  Contact
    Note:
    You can only set up a Rescue Email BEFORE you forget the questions/answers.

  • I forget security info question, i forget security info question

    i forget security info question, i forget security info question

    The Three Best Alternatives for Security Questions and Rescue Mail
        1. Use Apple's Express Lane.
              Go to https://expresslane.apple.com ; click 'See all products and services' at the
              bottom of the page. In the next page click 'More Products and Services, then
              'Apple ID'. In the next page select 'Other Apple ID Topics' then 'Forgotten Apple
              ID security questions' and click 'Continue'. Please be patient waiting for the return
              phone call. It will come in time depending on how heavily the servers are being hit.
         2.  Call Apple Support in your country: Customer Service: Contact Apple support.
         3.  Rescue email address and how to reset Apple ID security questions.
    A substitute for using the security questions is to use 2-step verification:
    Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID.

  • HT1689 How Do You Change Security Confirmation Questions/Answers?

    I am trying to purchase from my new iPod Touch.  It keeps asking for answers to security confirmation questions.  I have forgotten the answers.  How do I change my security confirmation answers/questions?

    Try:
    https://discussions.apple.com/message/18401752#18401752
    https://discussions.apple.com/thread/3955432?tstart=0

Maybe you are looking for

  • How can I remove pictures from my IPad

    How can I remove photos from my IPad

  • Inspire T6100

    I have recently purchased the inspire T6100 5.1 system. I believe my laptop has an analog 2 sound card, what do I need to connect and use the T6100. Can the same be used to connect the speakers to my dvd player?Are the speakers compatible with an ipo

  • Please help, this code is trashing the database

    I have the 'pleasure' of fixing a view that as you can see in poorly written, and it is in production. This thing is dying in production is giving me ORA-03113: end-of-file on communication channel error, I did my research and it is a patch that the

  • How to find unanswered questions

    Hi,      How to find unanswered questions (posts which have 0 replies) in the forum?

  • HELP, Intel Security Update, no reboot, grey screen of death

    so I just downloaded the latest intel security update (i dont even remember the nomencalture) and now my revision A 2007 model macbook pro will not reboot. It stays on the grey screen with the grey pinwheel. I reset the PRAM, and nothing. I took the