2008-10-14

Single Sign On (SSO) with Flex in J2EE container

I've saw this question asked a couple times about a month ago and I tried to answer the question but thought it best to create an example. The question is, how do you prevent a Flex application from showing the login page after the user hit F5 in the browser (or refresh for that matter), after he/she just logged in.

So the main question here is how do you know someone has logged in successfully and don't need to present them with a login view. This is also how to handle the Single Sign On (SSO) case, where you know the user has authenticated himself successfully under host.com/app1 context but is now at your Flex application under the host.com/app2 context and you don't want him to have to re-authenticate himself. Of course we talking here about a Java back-end, so either using BlazeDS or LiveCycle Data Services.

So in my example I used BlazeDS and assuming you configured the security properly, a typical Flex application will display a login view to the user before they can do anything. But if the user has already been authenticated in this web context or another context on the same server, how do we prevent this default behavior? Here is how I do it in some simple words.

When the LoginView initializes, call the server to load the user's information (you will most likely need it at some point anyways). If you get a success response, you have the data and it means the user is already authenticated, so broadcast the LoginSuccessEvent event and you are done! The application will now display its main content. If you get an error response, the most likely cause is that the user is not authenticated and you should remain at the LoginView. It could also mean there is some server-side error (like config issue) which your technical department will have to look into.

If you do have to present the user with the LoginView, then once they click on the Login button, call the setCredentials() method of your RemoteObject and then make the same call to load the user's information.

But there is no better way to see this than to look at an example. So I recommend you download my example using the link below and take a look at the LoginView.mxml file where most of the work is done. The example deploys easily into Tomcat, so I recommend reading the readme.txt file contained within the archive for some installation details. The complete source is included as well.

You can download my example from here. Enjoy!

13 comments:

Ross Phillips said...

Have you thought about using a Shared Object to store the "login"? Unless I'm missing something with the Flash Security model both apps should be able to access the same Shared Object since it's on the same domain. Also I would recommending store a session id or similar hash key to identify the user and not a actual login and password.

This should allow you to have a SSO.

Dimitrios "Jimmy" Gianninas said...

Why should I write code to read/write info to a Shared Object to use for SSO when all the security stuff is already implemented for me using BlazeDS/LCDS? And I don't store anything anywhere btw, just look at the example.

Ross Phillips said...

Sheesh - BladeDS/LCDS is not the only way backend for Flex apps. Shared Objects is alternative way to solve this problem if you don't have BladeDS/LCDS.

Also to note in your suggested solution. The apps destination(s) would need to have the same security setup.

I'm not saying your solution is invalid/bad just highlighting another solution to "Single Sign On (SSO) with Flex".

Dimitrios "Jimmy" Gianninas said...

Well my example was for Java web container, so its probably what most people will do. But if you dont use Java, then yes, using Shared Object is probably a solution. No sheeshing required.

Anonymous said...

Hey Dimitrios,

thanks for your example. I run your sample and it does not seem to keep the session info across webapp context in within the same server.
i.e:
/sso-login/main.swf and
/sso-login/admin/index.html
do share it..and login into 1 is enough.
However if you change webcontext
/sso-login/main.swf and
/sso-login2/admin/index.html

you are prompted to re-login.

Any idea on how to obtain that..although I think the solution lays more into an app container solution than into flex...

World of Warcraft Gold Guides said...

good post :)

Anonymous said...

よろしくおねがいします。good good nice
逆援助

Anonymous said...

pay pal order diflucan lasix surgery eye generic Clomid cost Lexapro drug no prescription Keflex Overnight Fed Ex No Prescription keflex and acne keflex symptoms in dog alesse overnight delivery order cheap Clomid online amoxil and aspirin buy lexapo and side effects

Anonymous said...

diflucan cost Generic Augmentin and weight loss buy cialis online USA Flagyl ER buy Easily online buy flagyl drugs Cheap Ditropan Over Night Amoxil prescription ordering buy Augmentin online scams diflucan vytorin Clomid in USA Online Pharmacy

Unknown said...

I am not able to login using: jimmy, test as user credentials.

What credentials should I use and where do I set up them up in order to test out the application?

Thank you.

Anonymous said...

We should be chary and particular in all the information we give. We should be especially careful in giving advice that we would not think of following ourselves. Most of all, we ought to refrain from giving advisor which we don't follow when it damages those who depreciate us at our word.

air compressor

[url=http://air-compressor-48.webs.com/apps/blog/]air compressor[/url]

Anonymous said...

A man begins cutting his wisdom teeth the senior without surcease he bites on holiday more than he can chew.

Anonymous said...

oZzy moved away some time ago, I miss his cock, for
always hungry for sex.
FUCK MY PUSSY!

my site - hcg injections
my webpage > hcg injections