使用Adobe Flex绕过tomcat基本身份验证

Question

I have configured apache tomcat web.xml for basic authentication for specifc address by pasting code below in web.xml

<security-constraint>
    <web-resource-collection>
      <web-resource-name> 
        Protected Site 
      </web-resource-name>
      <!-- This would protect the entire site -->
      <url-pattern> /Documents/* </url-pattern>
      <!-- If you list http methods, 
            only those methods are protected -->
      <http-method> DELETE </http-method>
      <http-method> GET </http-method>
      <http-method> POST </http-method>
      <http-method> PUT </http-method>
    </web-resource-collection>
    <auth-constraint>
      <!-- Roles that have access -->
      <role-name>role1</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- BASIC authentication -->
  <login-config>
    <auth-method> BASIC </auth-method>
    <realm-name>Authentication </realm-name>
  </login-config>

  <!-- Define security roles -->
  <security-role>
    <description> Test role </description>
    <role-name>role1</role-name>
  </security-role>

I got browser basic authentication dialog for getting username and password. and after correct username and password i get authenticated and able to see document otherwise not.

Now every thing works fine but "I want to bypass this authentication using Adobe flex programming ie by giving username N password in flex code, i want that this dialog should not appear and user gets authenticated by code."

Answer 1

You should add the authentication header to your service:HTTPService object.

import mx.utils.Base64Encoder;
private function addAuthenticationHeader(service:HTTPService):void
{
        var encoder:Base64Encoder = new Base64Encoder();
        encoder.insertNewLines = false;
        encoder.encode("django:reinhardt");
        service.headers = {Authorization:"Basic " + encoder.toString()};                                                
        service.send();
}

---

Edit: What do you want to achieve?

• You want to get the result of the protected url in Flex
• You want to somehow authenticate the user and then navigate (change the browser url) to the secured page ?

In my opinion 1 is not possible because Basic-Authentication (BA) does not rely on cookies or session id. If the browser does not re ask you the password on every protected pages this is just because it stores the BA header in an internal session that is not shared across all the page components especially with flash (for evident security reasons...).

If it is the second option then you should use such url that contains everything https//django:reinhardt@localhost/myApp/Documents/mySecret.mp3 and that will be mapped by the browser.

HIH

Answer 2

You can't do it in your Flex web application.

Only an AIR application or mobile app could do it -

because the following headers are not allowed for the former in URLRequestHeader :

• Accept-Charset, Accept-Encoding, Accept-Ranges, Age, Allow, Allowed, Authorization, Charge-To, Connect, Connection, Content-Length, Content-Location, Content-Range, Cookie, Date, Delete, ETag, Expect, Get, Head, Host, If-Modified-Since, Keep-Alive, Last-Modified, Location, Max-Forwards, Options, Origin, Post, Proxy-Authenticate, Proxy-Authorization, Proxy-Connection, Public, Put, Range, Referer, Request-Range, Retry-After, Server, TE, Trace, Trailer, Transfer-Encoding, Upgrade, URI, User-Agent, Vary, Via, Warning, WWW-Authenticate, x-flash-version