Wednesday, September 30, 2009

Using WebOrb Role-Based Security with the Flex Mate Framework

While implementing a flex-based login solution that used WebOrb & .NET role-based security, I ran into problems attempting to utilize Mate’s RemoteObjectInvoker.
The History
In order to implement .NET’s role based security, we need to Authenticate and Authorize our users. Per WebOrb’s Documentation:
“Authentication is the process of verifying user credentials and establishing user identity. Authentication’s goal is to verify that the user is who they say they are. A result of a successful authentication in .NET is typically an instance of the System.Security.Principal.IPrincipal interface. A .NET principal carries the identity of the authenticated user. Additionally, it can check if a user belongs to a particular role. When a principal is associated with a thread, .NET automatically performs code-access security checks for the methods invoked by the thread and thus enforces role-based security.”
Flex provides an API for sending the authentication credentials in a RemoteObject. SetCredentials tells Flex to send the credentials with the next service call to authenticate and create an identity. Once an identity is established, its used for all other service calls that use the same ChannelSet until the logout() function is used.
public function setCredentials( userid:String, password:String ) : void
public function logout() : void
In order to handle authentication, WebOrb registers a custom handler for all setCredentials() calls. Excellent information can be found in the WebOrb documentation on how to set the AuthenticationHandler.
The Problem
Implementing the Mate Framework, I use RemoteObjectInvoker to make calls to my .NET services exposed by WebOrb. Mate provides properties (username and password) on the ServiceInvoker class which the RemoteObjectInvoker extends. So, I attempted the following:
<services:Services id="services"/>
<RemoteObjectInvoker instance="{services.loginService}" 
    method="getUserData"
    username="{event.username}"
    password="{event.password}"/>
Note: Services contains a list of my RemoteObjects per Mate’s Suggested Best Practices.
In the event the user was successfully authenticated, this worked great. If the user is not authenticated, a fault is returned. The problem is that when new credentials are entered, they are not sent to the server. Instead, the original credentials are sent.
Another problem I ran into is logging out the user. I couldn’t find a means to logout a user anywhere in the RemoteObjectInvoker.
The Solution - InlineInvoker
<?xml version="1.0" encoding="utf-8"?>
<EventMap xmlns:mx="http://www.adobe.com/2006/mxml" 
  xmlns="http://mate.asfusion.com/" 
  xmlns:services="services.*">
 <mx:Script>
  <![CDATA[
   import events.LoginEvent;
 
   public function setCredentials(username:String, password:String):void
   {
    services.userService.setCredentials(username, password);
   }
   public function logout():void
   {
    services.userService.logout();
   }
  ]]>
 </mx:Script>
 
 <services:Services id="services"/>
 
 <EventHandlers type="{LoginEvent.LOGIN}" debug="true">
 
  <InlineInvoker method="setCredentials" arguments="{[event.hcoid, event.password]}"/>
  <RemoteObjectInvoker instance="{services.userService}" method="getUserData" arguments="{[event.username]}">
   <resultHandlers>
   ...
   </resultHandlers>
  </RemoteObjectInvoker>
 </EventHandlers>
 
 <EventHandlers type="{LoginEvent.LOGOUT}" debug="true">
  <InlineInvoker method="logout"/>
 </EventHandlers>
</EventMap>
The solution is pretty simple and should probably be implemented into a Mate Extension (I’m thinking something like a CredentialInvoker or maybe an extension to the RemoteObjectInvoker). There might very well be a better way to do this or it could already be built in. Regardless, the solution wasn’t’ instantly clear for me, so hopefully this will help someone else.

No comments:

Post a Comment