jQuery in Action, 3rd edition
The moose likes Flex and the fly likes Authentication with Flex and Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Flex
Bookmark "Authentication with Flex and Java" Watch "Authentication with Flex and Java" New topic

Authentication with Flex and Java

Peter Gough

Joined: Sep 16, 2009
Posts: 9
I've got a Flex app which provides a front-end for doing basic CRUD db operations. The app is served up from a Tomcat/Blaze server using 2-way authentication and uses Java objects to do the server-side db work. Serving the app works fine. The problem arises when the data components in the app try to call back to the server to pull data from the db. The HttpService template needs to be https://... but the call cannot complete because Flex does not provide a certificate to the server as the browser does.

Using http://... works fine but then the db data is sent in the clear (which is very bad).

What is the standard way to solve this problem? Is there a way to get Flex to use the same cert that the browser provided?

Thanks for any assistance!

[ RHEL5, Apache Tomcat 5.5.23, JDK 1.5, IE/Firefox browsers]
Satish Kore
Ranch Hand

Joined: Feb 10, 2004
Posts: 43
Not sure if I understand the issue entirely but to make Flex application work on https/SSL you just need to use secure amf or secure http channel for your RemoteObject and HttpService and you will be able to fetch data from your server over SSL.


Satish Kore
"Flex 3 with Java" @ packtpub.com and amazon.com
Peter Gough

Joined: Sep 16, 2009
Posts: 9
Yes, I can get this to work using HTTPS, but only if I use 1-way authentication (the client is not required to authenticate itself to
the server). This is what I believe you are referring to.

Using Tomcat, there's a property called 'clientAuth' in conf/server.xml. When set to "true", it forces the client to supply a certificate.
The certificate is then used to authenticate clients connecting to the web server (by Trust Chain, DistinguishedName or whatever).
That information is also passed into the HttpServletContext which I can access and utilize. When I navigate to my main web page,
this works fine because I've installed a certificate into my browser and the browser presents this certificate to the server when
it is requested.

Unfortunately, when my Flex app starts up, it tries to pull data from the server. The server asks it for a certificate but Flex does not
know where to get the certificate to supply to the server. Running WebStart has the same issue but there's a tool that I can use to
install my certificates into a local keystore that is known and used by WebStart.

I need to know if Flex has a way to provide certificates to a web server.


I agree. Here's the link: http://aspose.com/file-tools
subject: Authentication with Flex and Java
It's not a secret anymore!