I will not do a big introduction on WebORB security because I mainly want to show the security with some examples. It would however not be bad to read the following two things at http://www.themidnightcoders.com/doc30/ :

  • Flex Integration --> Flex Remoting --> Security
  • Server Infrastructure --> Security

Beside that read the comments in the Security section in the weborb.config file.

In my example I'll work with the closed system.

From WebORB:

WebORB default authorization handler implements a powerful system for granting or denying access to the user classes, XML Web Services, CFCs or any other supported service type. The system supports 2 modes of operation: Open and Closed mode. The 'Open System' mode exposes all application classes and services to the rich client applications. Access can be restricted to individual methods, classes or packages/namespaces by creating specific access constraints. This mode is useful for development when infrastructure security has lower priority. The 'Closed System' mode is the opposite of the open mode. When running in the 'Closed System' mode, WebORB restricts access to all service types available in the application - all classes, xml services, EJBs and CFCs. Access to the individual methods, classes, packages/namespace can be granted by applying security access constraints.

The closed system is more secure and easier to manage, so I'll work with that.

On the servers side I have one Class that needs security:

PLAIN TEXT
C#:
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Text;
  5.  
  6. namespace Authentication
  7. {
  8.     public class TestService
  9.     {
  10.         /**
  11.          * No access constraints should be defined for this method. In a closed system,
  12.          * this means that no one should have access to this method.
  13.          */
  14.         public void Ping() { }
  15.  
  16.         /**
  17.          * Access should be granted to all IP adresses.
  18.          */
  19.         public void AllIpPing() { }
  20.  
  21.         /**
  22.          * Access should be granted only to Admin roles.
  23.          */
  24.         public void AdminPing() { }
  25.  
  26.         /**
  27.          * Access should be granted only to User roles.
  28.          */
  29.         public void UserPing() { }
  30.  
  31.         /**
  32.          * Access should be granted to users having both
  33.          * Admin and User role.
  34.          */
  35.         public void AdminAndUserPing() { }
  36.  
  37.         /**
  38.          * Access should be granted to users having
  39.          * Admin or User role.
  40.          */
  41.         public void AdminOrUserPing() { }
  42.     }
  43. }

Default WebORB Authentication/Authorization

First we'll check the default Authentication/Authorization from WebORB. In the weborb.config check the section on Security:

PLAIN TEXT
XML:
  1. <security>
  2.       <deploymentMode>closed</deploymentMode>
  3.       <authenticationHandler>Weborb.Security.WebORBAuthenticationHandler</authenticationHandler>
  4.       <!--authenticationHandler>Johlero.Security.Handler.AuthenticationHandler</authenticationHandler-->
  5.       <authorizationHandler>Weborb.Security.WebORBAuthorizationHandler</authorizationHandler>
  6.       <!--authorizationHandler>Johlero.Security.Handler.AuthorizationHandler</authorizationHandlers-->
  7.       <rolesProvider>Weborb.Security.WebORBRolesProvider</rolesProvider>
  8.       <!--rolesProvider>Johlero.Security.Provider.RolesProvider</rolesProvider-->
  9. </security>

Ok, closed system is set. Now we need to define the users. This is done at the end of the Security section in the weborb.config and should be set like this:

PLAIN TEXT
XML:
  1. <acl>
  2.       <user>
  3.         <name>admin</name>
  4.         <password>adminpass</password>
  5.         <role>admin</role>
  6.       </user>
  7.       <user>
  8.         <name>user</name>
  9.         <password>userpass</password>
  10.         <role>user</role>
  11.       </user>
  12.       <user>
  13.         <name>adminuser</name>
  14.         <password>adminuserpass</password>
  15.         <role>user</role>
  16.         <role>admin</role>
  17.       </user>
  18. </acl>

We have defined three users each with their password and the roles they are given. The adminuser is given two roles, user and admin. This will become clear later on in the Flex Part.

Now we need to set the constraints. At this point, no function in the TestService Class is accessible because of the Closed system.

First we'll create some access constraints. You'll see that some constraints are allready defined. We'll use also one of those predefined constraints:

PLAIN TEXT
XML:
  1. <access-constraint action="grant">
  2.           <name>Constraint.Grant.UserRole</name>
  3.           <role>user</role>
  4.         </access-constraint>
  5.         <access-constraint action="grant">
  6.           <name>Constraint.Grant.AdminRole</name>
  7.           <role>admin</role>
  8.         </access-constraint>
  9.         <access-constraint action="grant">
  10.           <name>Constraint.Grant.AdminAndUserRole</name>
  11.           <role>admin</role>
  12.           <role>user</role>
  13. </access-constraint>

First constraint grants access to the User role. The name is just a name that will be used further on in the secure-resource tags.
Second constraint grants access to the Admin role.
Third constraint grants access to users having both Admin AND User role. Be aware, this access-contraint does not say: give access to users having the Admin OR User role.
Besides giving access to a certain role it's also possible to give access to IP adresses, IP ranges and hostnames. (See comments in weborb.config).

We will also use a IP access contraint:

PLAIN TEXT
XML:
  1. <access-constraint action="grant">
  2.           <name>everyone</name>
  3.           <IP>*.*.*.*</IP>
  4. </access-constraint>

Ok, so these access-constraints are like predefined security configurations that can now be used to secure resources. In the secure-resources tag in weborb.config add these lines:

PLAIN TEXT
XML:
  1. <secure-resource>
  2.           <resource>Authentication.TestService.UserPing</resource>
  3.           <constraint-name>Constraint.Grant.User</constraint-name>
  4.         </secure-resource>
  5.         <secure-resource>
  6.           <resource>Authentication.TestService.AdminPing</resource>
  7.           <constraint-name>Constraint.Grant.Admin</constraint-name>
  8.         </secure-resource>
  9.         <secure-resource>
  10.           <resource>Authentication.TestService.AdminAndUserPing</resource>
  11.           <constraint-name>Constraint.Grant.AdminAndUser</constraint-name>
  12.         </secure-resource>
  13.         <secure-resource>
  14.           <resource>Authentication.TestService.AdminOrUserPing</resource>
  15.           <constraint-name>Constraint.Grant.Admin</constraint-name>
  16.         </secure-resource>
  17.         <secure-resource>
  18.           <resource>Authentication.TestService.AdminOrUserPing</resource>
  19.           <constraint-name>Constraint.Grant.User</constraint-name>
  20.         </secure-resource>
  21.         <secure-resource>
  22.           <resource>Authentication.TestService.Ping</resource>
  23.           <constraint-name>everyone</constraint-name>
  24. </secure-resource>

First secure-resource secures the Authentication.TestService.UserPing function with the Constraint.Grant.User constraint. This means that access to the UserPing function is granted to users that have the user role. So when along the Flex side user credentials are set (see ACL), access will be granted. Because of the closed system, ONLY user roles will have access.

Second secure-resource is analog to previous secure-resource, but now for Admin.

Third secure-resource secures the AdminAndUserPing with the AdminAndUser constraint. Here only access will be given to users having both user and admin role!

To give access to a Function for user having user OR admin role, you need to define two secure resources (fourth and fifth secure-resource).

The last secure-resource secures the Ping function with the everyone constraint. So everyone will have access to this resource.

In next post will show you how you can configure certain things with the Weborb Console (weborbconsole.html).