Fluorine .NET Flash Remoting Gateway

Authentication & Authorization

Enforcing security consists of Authentication and Authorization.

Authentication is the part of verifying the users identity. The application verifies that the user is the person he claims to be.

Authorization is determining whether or not a user has the permission to perform an action in the application.
Authorization relies on finding security information associated to the identity of the user. Based on the security information, the application then can grant or deny permissions.

 

Fluorine uses the .NET Framework role-based security support.

For custom authentication, Fluorine uses a login command to check a user's credentials and log a principal into the application server. A login command must implement the ILoginCommand interface.

You can also use the com.TheSilentGroup.Fluorine.Messaging.Security.GenericLoginCommand base class.

When the backend authenticates a user the developer's task is to create an IPrincipal object, this object will be stored in the ASP.NET Cache (sliding expiration enabled). For subsequent remoting calls this Principal will be used automatically by Fluorine.

If the Cache expires between remoting calls Fluorine will query internally for the Principal object. To accomplish this cookies must be enabled on the client side as Fluorine encripts the credentials and stores them into a cookie.

Note: if support for clients with cookies disabled is required then the client must not clear the credentials (setCredential(null, null))

The service class implementing the authentication mechanism must implement the com.TheSilentGroup.Fluorine.ILoginService interface.

For details on .NET Framework role-based security support please read Principal and Identity Objects in the MSDN library.

 

Sending user credentials / Flash

In the Flash code you use setCredentials method which will set the credentials on the connection object.

 

Sending user credentials / Flex

Call AbstractService.setCredentials (base class for the RemoteObject class)

 

Handling authentication

When Fluorine receives a setCredentials header from Flash will call ILoginCommand.DoAuthentication that must authenticate and obtain the user's role membership details.

Fluorine will wire up the resulting object in the HttpContext.User and Thread.CurrentPrincipal properties.

 

Logout / Flash

To logout the current user use FormsAuthentication.SignOut(); in a service class method.

 

Logout / Flex

Call AbstractService.logout (base class for the RemoteObject class)