Handling a leftover Principal Identity with WebOrb for .NET

In order to authorize calls to a service, WebOrb for .NET stores a principal object created by the authentication handler. The IPrincipal interface has the IsInRole(roleName) method which is responsible for checking if the user represented by the principal’s identity belongs to a role. System administrators can secure individual methods, classes or namespaces using the WebORB configuration file or the management console. Upon authenticating a user, WebOrb stores the Principal Identity in a session variable and subsequent calls make use of the rolebased authorization.

The Problem
The following scenario demonstrates the problem I was having:

  • First, a user successfully authenticates and logs into the application
  • The user then closes the application browser tab without logging out.
  • The browser had multiple tabs open
  • A user reopens the application in a new tab and attempts to log in
  • The user supplies invalid credentials
  • A WebORBAuthenticationException is thrown, preventing WebOrb from creating a new Principal Identity

Everything should be fine since a new Principal Identity wasn’t created right? Wrong.

The previous principal is still stored in the session and is used for authorizing other service calls. Since the user had previously authenticated, that user’s roles will be used for authorization.

The Solution
At the beginning of my CheckCredential method in my AuthenticationHandler, I simply call:

HttpContext.Current.Session.Clear();

Everything works as expected. Since I don’t have any other session information, the Clear() method fulfills my need. If you have other session information, you may need to loop through the session looking for variables of type System.Security.Principal.GenericIdentity and Weborb.Security.Credentials. Remove both of those variables.

Note: I did have some issues using System.Web.HttpContext.Current in my service library. It was unrecognized. I simply had to add a reference to System.Web and all was ok.

Using WebOrb Role-Based Security with the Flex Mate Framework

While implementing a flex-based login solution that used WebOrb & .NET role-based security, I ran into problems attempting to utilize Mate’s RemoteObjectInvoker.

The History

In order to implement .NET’s role based security, we need to Authenticate and Authorize our users. Per WebOrb’s Documentation:

“Authentication is the process of verifying user credentials and establishing user identity. Authentication’s goal is to verify that the user is who they say they are. A result of a successful authentication in .NET is typically an instance of the System.Security.Principal.IPrincipal interface. A .NET principal carries the identity of the authenticated user. Additionally, it can check if a user belongs to a particular role. When a principal is associated with a thread, .NET automatically performs code-access security checks for the methods invoked by the thread and thus enforces role-based security.”

Flex provides an API for sending the authentication credentials in a RemoteObject. SetCredentials tells Flex to send the credentials with the next service call to authenticate and create an identity. Once an identity is established, its used for all other service calls that use the same ChannelSet until the logout() function is used.

public function setCredentials( userid:String, password:String ) : void
public function logout() : void

In order to handle authentication, WebOrb registers a custom handler for all setCredentials() calls. Excellent information can be found in the WebOrb documentation on how to set the AuthenticationHandler.

The Problem

Implementing the Mate Framework, I use RemoteObjectInvoker to make calls to my .NET services exposed by WebOrb. Mate provides properties (username and password) on the ServiceInvoker class which the RemoteObjectInvoker extends. So, I attempted the following:

<services:Services id="services"/>
<RemoteObjectInvoker instance="{services.loginService}" 
    method="getUserData"
    username="{event.username}"
    password="{event.password}"/>

Note: Services contains a list of my RemoteObjects per Mate’s Suggested Best Practices.

In the event the user was successfully authenticated, this worked great. If the user is not authenticated, a fault is returned. The problem is that when new credentials are entered, they are not sent to the server. Instead, the original credentials are sent.

Another problem I ran into is logging out the user. I couldn’t find a means to logout a user anywhere in the RemoteObjectInvoker.

The Solution - InlineInvoker

<?xml version="1.0" encoding="utf-8"?>
<EventMap xmlns:mx="http://www.adobe.com/2006/mxml" 
		xmlns="http://mate.asfusion.com/" 
		xmlns:services="services.*">
	<mx:Script>
		<![CDATA[
			import events.LoginEvent;
 
			public function setCredentials(username:String, password:String):void
			{
				services.userService.setCredentials(username, password);
			}
			public function logout():void
			{
				services.userService.logout();
			}
		]]>
	</mx:Script>
 
	<services:Services id="services"/>
 
	<EventHandlers type="{LoginEvent.LOGIN}" debug="true">
 
		<InlineInvoker method="setCredentials" arguments="{[event.hcoid, event.password]}"/>
		<RemoteObjectInvoker instance="{services.userService}" method="getUserData" arguments="{[event.username]}">
			<resultHandlers>
			...
			</resultHandlers>
		</RemoteObjectInvoker>
	</EventHandlers>
 
	<EventHandlers type="{LoginEvent.LOGOUT}" debug="true">
		<InlineInvoker method="logout"/>
	</EventHandlers>
</EventMap>

The solution is pretty simple and should probably be implemented into a Mate Extension (I’m thinking something like a CredentialInvoker or maybe an extension to the RemoteObjectInvoker). There might very well be a better way to do this or it could already be built in. Regardless, the solution wasn’t’ instantly clear for me, so hopefully this will help someone else.

Flex for .NET Developers on Flex.org…Sweet!

On the newly redesigned Flex.org site, there is now a link for “Flex for .NET Developers”. After clicking the link, you’ll quickly see some information on WebOrb & Fluorine and a couple links to some quick little tutorials I had written a while ago to getting up and going with Flex + .NET. I’m happy to see Adobe making an effort with those of us that combine Flex and .NET technologies.

I think it’s important to remember that these technologies can and do play nice and I’m excited to see this sub-group of the community continue to grow! Thanks!

Haiti Pics Finally Posted

I finally got around to posting the pictures from our trip to Haiti. It was an awesome experience but heart-breaking at the same time. We worked on building new classrooms for a school (the school has 500 students, and is a man’s house that he made into a church/school….amazing!)

Anyway, a truly life changing trip that really helps to put into perspective how Blessed we all are!

Haiti Pics on Picasa

Going to Haiti: Feb 16th - Feb 25th

I just wanted to let everyone know that next week, Thursday night, my wife and I will be leaving for Haiti and be gone Feb 16-25. We’re really excited and this weekend we’ll be packing and finalizing all the supplies we’ll be taking. If anyone is interested in knowing a little more, here is the website of the group we’ll be going with:

http://www.partnerswithhaiti.org

We’ll be working on a roof for an orphanage and working on other buildings in the village of AFCA. We’ll be staying at a church outside of Port-Au-Prince called Nazon. There is a video, sort of long (maybe 10-15 minutes) about the project going on and specifically the area we’ll be working. In the video, they talk about the Bethany project. It’s a school in the AFCA village. This is the school that we sponsor Michael and Kentia (two children Stacy met on her first trip to Haiti a couple years ago) to attend. On this trip, I’ll get to meet them both!

http://www.partnerswithhaiti.org/afca_video.htm

Any thoughts and prayers for us and the people of Haiti would be more than appreciated.

- Sam

Fluorine (.NET Remoting) updated to Alpha release v16; Adds support Flex’s RemoteObject

Fluorine has been updated to Alpha release v16. Big news in this release is that it adds support for Flex’s RemoteObject! A special thanks to TheSilentGroup for a great release! Possibly my favorite part of the new release and using RemoteObject is that ServiceCapture now parses my AMF3 correctly! Yippee!

In order to update my projects (As created from my this post), I’ve followed the following steps and everything seems to work great.

1) Create a services-config.xml in the root of your Flex application. It should look like this:

[xml]



class="flex.messaging.services.RemotingService"
messageTypes="flex.messaging.messages.RemotingMessage">



*







[/xml]

2) In your Flex Project Properties -> Flex Compiler -> Additional Compiler Arguments add the following
[xml]
-services “services-config.xml”
[/xml]

3) Create your RemoteObject services as follows:

[xml]
destination="fluorine"
endpoint="{gateway}"
source="com.yourdomain.service.yourServiceName"
showBusyCursor="true"/>
[/xml]

4) Copy the new “com.TheSilentGroup.Fluorine.dll” file from the new Fluorine release into your .NET Application’s bin directory.

Good luck and enjoy….and again, thanks SilentGroup for the fantastic product, Fluorine!

The Theater is Finished and Here are this pics!

Truth be told, the theater has been done for a couple months now, but I’ve finally gotten around to organizing my pictures (Google Picasa comes Highly recommended) and getting them uploaded (again Google Picasa Web Albums). I thought about trying to use Flickr, especially with all the Flex Mash-ups people have been doing with it, but Picasa was just too easy to pass up. Maybe they’ll release some APIs (or maybe they already have) that will help Picasa gain momentum since I love it for organizing my photos.

I’ve posted two different albums, one is a album with descriptions of the finished theater and the other is lots of Before & After pics (and some in progress) of the theater that can take you on a trip of our past two years.

So without further ado: My Picasa Web Albums

Does Flex need to assume AMF3 Date’s are UTC?

Background Information:
I’ve inherited an application that stores many Dates and Times. The software is used by people all over the world who manually enter Dates & Times from worksheets into the software. The information is stored in a SQL Database and all dates and times are stored without any Timezone information and represent all different timezones. Dates from different timezones aren’t compared or mixed, so when a report is generated form the database, its assumed the report and its dates and times are relevant to the client.

Many different applications hook into this system and I don’t have the luxury of changing anything other than my Flex application to make it match the rest of the system.

My Goal:
My Flex application should allow a user to enter a Date and Time, which I store into a Date Type. For example:
“11/16/2006 03:00:00 PM” would be entered by a user in Eastern Standard Time (GMT-5).
“11/16/2006 03:00:00 PM” would be entered by a user in Pacific Standard Time (GMT-8).
“11/16/2006 03:00:00 PM” would be entered by a user in Moscow (GMT+3).

Each of those Dates would be saved in my database as: “11/16/2006 03:00:00 ”

My Problem:
AMF3 no longer supports a Timezone Offset. See “AMF3 Specification” at OSFlash.org. I currently can take a Date & Time from my Database -> Backend (.NET in this case) > Gateway (Fluorine in this case) -> AMF3 and in reverse from AMF3 -> Gateway -> Backend -> Database without the Date or Time being modified in any way and without any Timezone information.

The problem is, Flex assumes the AMF3 information is in UTC(GMT). So as soon AMF3 is deserialzed into Flex, the Flex Date is modified to the client’s local timezone offset.

What I want is all three of the dates above to show up in Flex, regardless of the client timezone, as “11/16/2006 03:00:00 PM” and I don’t want to have to manually display the UTC Date all over my Flex application in order to do this. This would include if the Date is a member in a ValueObject.

My Solution (Work in Progress):
Everytime a Date is brought into Flex, I call a function:
[as]
public static function getUTCDate(myDate:Date):Date
{
return new Date(myDate.fullYearUTC, myDate.monthUTC, myDate.dateUTC, myDate.hoursUTC, myDate.minutesUTC, myDate.secondsUTC, myDate.millisecondsUTC);
}
[/as]
which is called as
[as]
flexDate = DateUtil.getUTCDate(flexDate);
[/as]

Everytime a Date is sent from Flex, I call a function:
[as]
public static function sendUTCDate(myDate:Date):Date
{
var sDate:Date = new Date(Date.UTC(myDate.fullYear, myDate.month, myDate.date, myDate.hours, myDate.minutes, myDate.seconds, myDate.milliseconds));
return sDate;
}
[/as]
which is called as
[as]
flexDate = DateUtil.sendUTCDate(flexDate);
[/as]

My Wish
Something that would make this automatic for me. Either a way to tell the AMF3 Date Deserialization to be saved as a Local Date, or some way to not make me call manually call these functions every time a Date is deserialized or serialized.

Many Thanks to Anyone with Any Ideas!

Storing Dates as Strings in Flex while using Date Components and Date Sorting

Due to an existing implementation of the application I’m working on and problems transferring Dates from Fluorine (.NET Remoting Gateway) to Flex, I decided to store and pass all my Dates as Strings. At first, this seemed like a reasonable and easy to implement change. As time has gone on, more and more problems seem to arise. I’m sure the best thing to do would be to find a way to use Date-typed Dates, but I’ve figured out and thought I’d share some workarounds/hacks in case anyone else is trying to/forced to use Strings as Dates.

1) Binding my dates to a DataGrid column:
In order to have my dates display in the form mm/dd/yyyy, I do the following:
Call a labelFunction named “dateLabel” which then calls a static function from my Util package “formatDateDisplay”
[xml]

[/xml]
[as]
private function dateLabel(item:Object, column:DataGridColumn):String
{
return Utils.formatDateDisplay(item[column.dataField]);
}
[/as]
[as]
//This is found in my Utils Package
public static function formatDateDisplay(date:String):String
{
// This removes any time data that is appened onto my Date String
return date.substr(0, date.search(’ ‘));
}
[/as]

2) My DataGrid Columns should be able to be sorted by Date rather than by String Comparison
Call a sortCompareFunction named “dateMyDatePropertyCompare” which then calls a static function from my Utils package “dateFromStringSortCompare”
[xml]

[/xml]
[as]
private function dateMyDatePropertyCompare(obj1:Object, obj2:Object):int
{
return Utils.dateFromStringSortCompare(obj1.myDateProperty, obj2.myDateProperty);
}
[/as]
[as]
public static function dateFromStringSortCompare(obj1:String, obj2:String):int
{
var date1:Date = (obj1 == ” || obj1 == null) ? null : new Date(obj1);
var date2:Date = (obj2 == ” || obj2 == null) ? null : new Date(obj2);

if (date1 < date2)
return -1;
else if (date1 > date2)
return 1;
else
return 0;
}
[/as]

3) Binding my String-Date to a DateField
You can not bind a String to a DateField selectedDate property, so it must be cast into a Date Type. The only way I’ve found to make this Bind is to do the following:
[xml]
selectedDate=”{(model.myDateProperty == null || model.myDateProperty == ”) ? null : new Date(model.myDateProperty)}”
[/xml]
and to save the DateField value to a String:
[as]
obj.myDateProperty= myDateField.selectedDate.toDateString();
[/as]

My hope is that one of the following happens from this post:

- Someone can save some time and use something I’ve written here
- I’ll learn a much cleaner way to do this and I’ll follow this up with a “I can’t believe i was doing that, now I’m doing this…post”

Comments are welcome and hoped for as always….

Fixed - Service Capture + IE 7 + Flex Help

Months ago, Aral Balkan blogged about Service Capture not working with Flex Help and also gave a possible solution. (link) His solution was to uncheck ‘Modify IE Settings on Application Start/Stop”. Unfortunately for me, I didn’t want to uncheck that setting. I like that when I start Service Capture, it automatically sets up the proxy on open browser windows. Luckily, IE6 proxys traffic for “localhost” but doesn’t for 127.0.0.1. Flex Help is initially setup to run from 127.0.0.1, hence, missing Service Capture. Therefore, going into Flex Builder -> Preferences -> Help -> Help Server and making the Host Name: “localhost” and the Server Port: “57266″ allowed me to leave ‘Modify IE Settings on Application Start/Stop” checked and still use Flex Help. I was happy…

Fast Forward to yesterday, when I decided to upgrade to IE 7. Oh No! My Flex Help is gone again…wassup with that?! Well it turns out, IE 7 no longer proxys “localhost” nor “127.0.0.1″. So whats a fella to do? Hack! For some reason, “localhost.” (notice the period) is proxy’ed. Changing the Host Name in Flex Help Server to “localhost.”, a quick restart of Flex Builder, and all is well in my world once again!

Hope this helps someone!