Red5 and Acegi security: example added

Hi,

I have added one more example of how integrate Red5 with
Acegi for 
authentication and authorization purposes, see my last
comment in wiki:

http://jira.red5.org/confluence/display/docs
/Red5+and+Acegi+Security


Victor

_______________________________________________
Red5 mailing list
Red5osflash.org

http://osflash.org/mailman/listinfo/red5_osflash.org

Thats great , after the login can it return a token ? This
could be  
useful for token based security by getting the page loading
the player  
to authenticate itself, return a token to the flash player
and then it  
returns the token back to the webapp to gain access. What do
you think ?

On 30/03/2008, at 4:11 PM, Victor wrote:

> Hi,
>
> I have added one more example of how integrate Red5
with Acegi for
> authentication and authorization purposes, see my last
comment in  
> wiki:
>
> http://jira.red5.org/confluence/display/docs
/Red5+and+Acegi+Security
>
>
> Victor
>
> _______________________________________________
> Red5 mailing list
> Red5osflash.org
> 
http://osflash.org/mailman/listinfo/red5_osflash.org


_______________________________________________
Red5 mailing list
Red5osflash.org

http://osflash.org/mailman/listinfo/red5_osflash.org

Yes, you can return UsernamePasswordAuthenticationToken
(serialize to 
String or byte[] somehow; maybe you will need to override
the basic 
class) from servlet (or JSP), pass it to Flash Player (via
SWF params, 
for example), send this token to Red5 and call 
SecurityContext.setAuthentication(token) in you
Application.appConnect().

But I am not sure that this is secure because the token
contains 
'isAuthenticated' flag set to 'true' after successful logon.
So someone 
can pass a fake token where isAuthenticated=true (without
real 
authentication procedure!).

A better way would be to remember the token itself at
server-side. For 
example, we have a Spring bean called TokenManager which
remembers the 
whole SecurityContext (containing the token) after
authentication. 
TokenManager generates some unique string and maps this
string to the 
SecurityContext. Then you can pass this string to Flash
Player and send 
it to Red5. Red5 gets SecurityContext from TokenManager,
calls 
SecurityContextHolder.setSecurityContext(context) - and
voila - user is 
now authenticated in Red5.

Victor


Daniel Rossi wrote:
> Thats great , after the login can it return a token ?
This could be  
> useful for token based security by getting the page
loading the player  
> to authenticate itself, return a token to the flash
player and then it  
> returns the token back to the webapp to gain access.
What do you think ?
> 
> On 30/03/2008, at 4:11 PM, Victor wrote:
> 
>> Hi,
>>
>> I have added one more example of how integrate Red5
with Acegi for
>> authentication and authorization purposes, see my
last comment in  
>> wiki:
>>
>> http://jira.red5.org/confluence/display/docs
/Red5+and+Acegi+Security
>>
>>
>> Victor
>>
>> _______________________________________________
>> Red5 mailing list
>> Red5osflash.org
>> 
http://osflash.org/mailman/listinfo/red5_osflash.org
> 
> 
> _______________________________________________
> Red5 mailing list
> Red5osflash.org
> 
http://osflash.org/mailman/listinfo/red5_osflash.org
> 
> 
> Wap-
> 

_______________________________________________
Red5 mailing list
Red5osflash.org

http://osflash.org/mailman/listinfo/red5_osflash.org

On 30/03/2008, at 5:59 PM, Victor wrote:
>
>
> A better way would be to remember the token itself at
server-side. For
> example, we have a Spring bean called TokenManager
which remembers the
> whole SecurityContext (containing the token) after
authentication.
> TokenManager generates some unique string and maps this
string to the
> SecurityContext. Then you can pass this string to Flash
Player and  
> send
> it to Red5. Red5 gets SecurityContext from
TokenManager, calls
> SecurityContextHolder.setSecurityContext(context) - and
voila - user  
> is
> now authenticated in Red5.

Thats exactly what I was talking about. I think you are onto
something  
here, it could be created as an authentication plugin.  The
unique  
session string returned to the script loading the flash
player and  
sent back to the connect method is temporary and expires
when doing  
the second auth part. Or something like that, maybe the auth
is cached  
on each request and sends a random key back each time. The
system  
could be resource taxing though :


_______________________________________________
Red5 mailing list
Red5osflash.org

http://osflash.org/mailman/listinfo/red5_osflash.org

On 30/03/2008, at 5:59 PM, Victor wrote:
>
>
> A better way would be to remember the token itself at
server-side. For
> example, we have a Spring bean called TokenManager
which remembers the
> whole SecurityContext (containing the token) after
authentication.
> TokenManager generates some unique string and maps this
string to the
> SecurityContext. Then you can pass this string to Flash
Player and  
> send
> it to Red5. Red5 gets SecurityContext from
TokenManager, calls
> SecurityContextHolder.setSecurityContext(context) - and
voila - user  
> is
> now authenticated in Red5.

Thats exactly what I was talking about. I think you are onto
something  
here, it could be created as an authentication plugin.  The
unique  
session string returned to the script loading the flash
player and  
sent back to the connect method is temporary and expires
when doing  
the second auth part. Or something like that, maybe the auth
is cached  
on each request and sends a random key back each time. The
system  
could be resource taxing though :


_______________________________________________
Red5 mailing list
Red5osflash.org

http://osflash.org/mailman/listinfo/red5_osflash.org

I got stuck with session handling in a service class
attempting  
exactly this. I could send you what i had so far ?

On 30/03/2008, at 5:59 PM, Victor wrote:

> Yes, you can return UsernamePasswordAuthenticationToken
(serialize to
> String or byte[] somehow; maybe you will need to
override the basic
> class) from servlet (or JSP), pass it to Flash Player
(via SWF params,
> for example), send this token to Red5 and call
> SecurityContext.setAuthentication(token) in you  
> Application.appConnect().
>
> But I am not sure that this is secure because the token
contains
> 'isAuthenticated' flag set to 'true' after successful
logon. So  
> someone
> can pass a fake token where isAuthenticated=true
(without real
> authentication procedure!).
>
> A better way would be to remember the token itself at
server-side. For
> example, we have a Spring bean called TokenManager
which remembers the
> whole SecurityContext (containing the token) after
authentication.
> TokenManager generates some unique string and maps this
string to the
> SecurityContext. Then you can pass this string to Flash
Player and  
> send
> it to Red5. Red5 gets SecurityContext from
TokenManager, calls
> SecurityContextHolder.setSecurityContext(context) - and
voila - user  
> is
> now authenticated in Red5.
>
> Victor
>
>
> Daniel Rossi wrote:
>> Thats great , after the login can it return a token
? This could be
>> useful for token based security by getting the page
loading the  
>> player
>> to authenticate itself, return a token to the flash
player and then  
>> it
>> returns the token back to the webapp to gain
access. What do you  
>> think ?
>>
>> On 30/03/2008, at 4:11 PM, Victor wrote:
>>
>>> Hi,
>>>
>>> I have added one more example of how integrate
Red5 with Acegi for
>>> authentication and authorization purposes, see
my last comment in
>>> wiki:
>>>
>>> http://jira.red5.org/confluence/display/docs
/Red5+and+Acegi+Security
>>>
>>>
>>> Victor
>>>
>>>
_______________________________________________
>>> Red5 mailing list
>>> Red5osflash.org
>>> 
http://osflash.org/mailman/listinfo/red5_osflash.org
>>
>>
>> _______________________________________________
>> Red5 mailing list
>> Red5osflash.org
>> 
http://osflash.org/mailman/listinfo/red5_osflash.org
>>
>>
>> Wap-
>>
>
> _______________________________________________
> Red5 mailing list
> Red5osflash.org
> 
http://osflash.org/mailman/listinfo/red5_osflash.org


_______________________________________________
Red5 mailing list
Red5osflash.org

http://osflash.org/mailman/listinfo/red5_osflash.org