sso protection

View: New views

2 Messages — Rating Filter: Alert me

sso protection

by m e-4 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.

Is there any good way to protect resources with a single sign on scheme.

I'm thinking of using josso and passing the session id into the swf but
josso is for http and this isn't a natural method since red5 can't
obtain the user principle object.

Any suggestions?

Hugh

Sell your car for just $40 at CarPoint.com.au It's simple!
_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

Re: sso protection

by Walter Tak :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.

Create a session-id for the user with some scripting. (1)

Put the session-id in a database

Pass the session-id to your SWF

Pass the session-id from the SWF to Red5

Have Red5 check the session-id against the database (either direct using a mysql-connector or AMF call to an AMF gateway (e.g. AMFPHP/SabreAMF or something else) and validate it against the database

Et voila ; you now know on your Red5 server that the user validated succesfully at mark (1).

Edit: After reading about Josso it seems that Josso does most of the steps described in this mail :)

I'm not sure tho if Josso integrates with Red5.

If you don't mind calling mysql (or any other db) directly from Red5 then you'd only need to write a simple jsp page, have it served by Tomcat or Jetty and have Red5 checking the db for the session. This is probably the easiest to setup for java-developers and the fastest / most efficient as well.

I myself don't like a streaming server like Red5 to poke in my database so I'd let Red5 call a (middletier) script and the script is allowed to poke in the db and insert/update/whatever records. This also allowes scaling of the infrastructure ; with 1 central scripting webserver (eg jsp/php/python/dot.net) you can serve multiple Red5-streaming servers etc.

Regards,
Walter

----- Original Message -----

From: nojunkwork@...

To: red5@...

Sent: Thursday, 24 July 2008 02:06

Subject: [Red5] sso protection

Is there any good way to protect resources with a single sign on scheme.

I'm thinking of using josso and passing the session id into the swf but
josso is for http and this isn't a natural method since red5 can't
obtain the user principle object.

Any suggestions?

Hugh

Sell your car for just $40 at CarPoint.com.au It's simple!

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 270.5.5/1568 - Release Date: 23-07-08 06:55

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org