Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL
Help

Part 6: Administering BlazeDS applications > Chapter 12: Security - Pg. 158

156 Chapter 12: Security BlazeDS security lets you control access to server-side destinations. A Flex client application may only connect to the server over a secure destination after its credentials have been validated (authentication), and may only perform authorized operations. By default, BlazeDS uses the security framework of the underlying J2EE application server to support authentication and authorization. However, you can define custom logic to perform authentication and authorization that does not rely on the application server. Topics Securing BlazeDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Configuring security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Basic authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Custom authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Passing credentials to a proxy service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Securing BlazeDS Authentication is the process by which users validate their identity to a system. Authorization is the process of deter- mining what types of activities a user is permitted to perform on a system. After users are authenticated, they can be authorized to access specific resources. In BlazeDS, a destination defines the server-side code through which a client connects to the server. You restrict access to a destination by applying a security constraint to the destination. Security constraints A security constraint ensures that a user is authenticated before accessing the destination. A security constraint can also require that the user is authorized against roles defined in a user store to determine if the user is a member of a specific role. You can configure a security constraint to use either basic or custom authentication. The type of authentication you specify determines the type of response the server sends back to the client when the client attempts to access a secured destination with no credentials or invalid credentials. For basic authentication, the server sends an HTTP 401 error to indicate that authentication is required, which causes a browser challenge in the form of a login dialog box. For custom authentication, the server sends a fault to the client to indicate that authentication is required. By default, security constraints uses custom authentication. Login commands BlazeDS uses a login command to check credentials and log the user into the application server. The way a J2EE application server implements security is specific to each server type. Therefore, BlazeDS includes login command implementations for Apache Tomcat, JBoss, Oracle Application Server, BEA WebLogic, IBM WebSphere, and Adobe JRun. You can use a login command without roles to support authentication only. If you also want to use authorization, link the specified role references to roles that are defined in the user store of your application server.