• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Authentication with Flex and Java

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've got a Flex app which provides a front-end for doing basic CRUD db operations. The app is served up from a Tomcat/Blaze server using 2-way authentication and uses Java objects to do the server-side db work. Serving the app works fine. The problem arises when the data components in the app try to call back to the server to pull data from the db. The HttpService template needs to be https://... but the call cannot complete because Flex does not provide a certificate to the server as the browser does.

Using http://... works fine but then the db data is sent in the clear (which is very bad).

What is the standard way to solve this problem? Is there a way to get Flex to use the same cert that the browser provided?

Thanks for any assistance!

[ RHEL5, Apache Tomcat 5.5.23, JDK 1.5, IE/Firefox browsers]
 
Author
Posts: 43
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not sure if I understand the issue entirely but to make Flex application work on https/SSL you just need to use secure amf or secure http channel for your RemoteObject and HttpService and you will be able to fetch data from your server over SSL.

Thanks,
 
Peter Gough
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, I can get this to work using HTTPS, but only if I use 1-way authentication (the client is not required to authenticate itself to
the server). This is what I believe you are referring to.

Using Tomcat, there's a property called 'clientAuth' in conf/server.xml. When set to "true", it forces the client to supply a certificate.
The certificate is then used to authenticate clients connecting to the web server (by Trust Chain, DistinguishedName or whatever).
That information is also passed into the HttpServletContext which I can access and utilize. When I navigate to my main web page,
this works fine because I've installed a certificate into my browser and the browser presents this certificate to the server when
it is requested.

Unfortunately, when my Flex app starts up, it tries to pull data from the server. The server asks it for a certificate but Flex does not
know where to get the certificate to supply to the server. Running WebStart has the same issue but there's a tool that I can use to
install my certificates into a local keystore that is known and used by WebStart.

I need to know if Flex has a way to provide certificates to a web server.

Thanks!

 
Always! Wait. Never. Shut up. Look at this tiny ad.
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic