The idea is to have authentication done inside the script
page so its
done anonymously, rather than sending login information to
red5 via
the flash client unless it was a manual login box of
course.
On 30/03/2008, at 7:24 PM, Victor wrote:
> Yes, we did something similar - but, inversely, we did
> authentication in
> Red5, then we passed a random token to Flash Player
and, from there,
> to
> a servlet (servlet was used to download files).
>
> What kind of problems do you have?
>
> Victor
>
>
> Daniel Rossi wrote:
>> I got stuck with session handling in a service
class attempting
>> exactly this. I could send you what i had so far ?
>>
>> On 30/03/2008, at 5:59 PM, Victor wrote:
>>
>>> Yes, you can return
UsernamePasswordAuthenticationToken (serialize
>>> to
>>> String or byte[] somehow; maybe you will need
to override the basic
>>> class) from servlet (or JSP), pass it to Flash
Player (via SWF
>>> params,
>>> for example), send this token to Red5 and call
>>> SecurityContext.setAuthentication(token) in
you
>>> Application.appConnect().
>>>
>>> But I am not sure that this is secure because
the token contains
>>> 'isAuthenticated' flag set to 'true' after
successful logon. So
>>> someone
>>> can pass a fake token where
isAuthenticated=true (without real
>>> authentication procedure!).
>>>
>>> A better way would be to remember the token
itself at server-side.
>>> For
>>> example, we have a Spring bean called
TokenManager which remembers
>>> the
>>> whole SecurityContext (containing the token)
after authentication.
>>> TokenManager generates some unique string and
maps this string to
>>> the
>>> SecurityContext. Then you can pass this string
to Flash Player and
>>> send
>>> it to Red5. Red5 gets SecurityContext from
TokenManager, calls
>>>
SecurityContextHolder.setSecurityContext(context) - and
voila - user
>>> is
>>> now authenticated in Red5.
>>>
>>> Victor
>>>
>>>
>>> Daniel Rossi wrote:
>>>> Thats great , after the login can it return
a token ? This could be
>>>> useful for token based security by getting
the page loading the
>>>> player
>>>> to authenticate itself, return a token to
the flash player and then
>>>> it
>>>> returns the token back to the webapp to
gain access. What do you
>>>> think ?
>>>>
>>>> On 30/03/2008, at 4:11 PM, Victor wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have added one more example of how
integrate Red5 with Acegi for
>>>>> authentication and authorization
purposes, see my last comment in
>>>>> wiki:
>>>>>
>>>>> http://jira.red5.org/confluence/display/docs
/Red5+and+Acegi+Security
>>>>>
>>>>>
>>>>> Victor
>>>>>
>>>>>
_______________________________________________
>>>>> Red5 mailing list
>>>>> Red5 osflash.org
>>>>>
http://osflash.org/mailman/listinfo/red5_osflash.org
>>>>
>>>>
_______________________________________________
>>>> Red5 mailing list
>>>> Red5osflash.org
>>>>
http://osflash.org/mailman/listinfo/red5_osflash.org
>>>>
>>>>
>>>> Wap-
>>>>
>>>
_______________________________________________
>>> Red5 mailing list
>>> Red5osflash.org
>>>
http://osflash.org/mailman/listinfo/red5_osflash.org
>>
>>
>> _______________________________________________
>> Red5 mailing list
>> Red5osflash.org
>>
http://osflash.org/mailman/listinfo/red5_osflash.org
>>
>>
>> Wap-
>>
>
> _______________________________________________
> Red5 mailing list
> Red5osflash.org
>
http://osflash.org/mailman/listinfo/red5_osflash.org
_______________________________________________
Red5 mailing list
Red5osflash.org
http://osflash.org/mailman/listinfo/red5_osflash.org
|