Tuesday, 13 July 2010

How to session authenticate a Flash application with a Domino server...

For the last 12 month during the FlexGateQ! and SoapGateQ! development it became clear that the so far used session authentication is not satisfactory from a security point of view. This because we used a simple URL login passing on the username and password in clear text.

The URL had basically following format:

http://www.flexdomino.net/names.nsf?login&username=myusername&password=mypassword&redirecto=...

The problem with this method is that the request will be logged in clear text in the Domino logs and an  administrator could easily collect any user's credentials who authenticated a Flash session with Domino.

We finally found a much more secure method using an HTTP POST request, sending the posted content in an encoded form (similar to the standard Notes login form when clicking the submit button, just in an automated fashion).

Here is the Action Script code that does the trick:

function DominoLogin(
     rURL:String,          // root URL e.g. http://www.flexdomino.net
     username:String,
     password:String,
):void {


var loginURLRequester:URLRequest;
var loginURLLoader:URLLoader;
var loginVars:URLVariables;

// creating URL variables is similar to dynamically creating
// fields in a to be submitted form
loginVars = new URLVariables();
loginVars.redirectto = rURL + "/names.nsf/$about";
loginVars.username   = username;
loginVars.password   = password;

// the login attempt is on the public names and addressbook
// or names.nsf (simply as this database always exists)
loginURLRequester = new URLRequest(rURL + "/names.nsf?login");

// the URL request must be of type POST and the content type a urlencoded form
loginURLRequester.contentType = "application/x-www-form-urlencoded";
loginURLRequester.method = URLRequestMethod.POST;

 // we need to assign the variables (or sort of "create the fields on the form)
loginURLRequester.data  = loginVars;


 // we need to create the URL loader 
 // and add a fault and complete listener

loginURLLoader = new URLLoader();

loginURLLoader.addEventListener(Event.COMPLETE,login_ok,false,0,true);
loginURLLoader.addEventListener(FaultEvent.FAULT,login_fault,false,0,true);

// and finally we actually send the request
loginURLLoader.load(loginURLRequester);
}

// at this point communication is complete
// however, the credentials might not have been
// correct. in which case Domino sends a login
// form. we still need to cater for this by 
// checking that the returned data is actually
// the URL set for the redirection 
// (the $about doc of the names.nsf)

function login_ok(event:Event):void
{
var tstr:String = event.target.data;

if (tstr.indexOf(".nsf/$about") == -1)
{
// redirect was not successful. could be a not handled login error
// run your error handling

return;

}

// login OK, do whatever should follow a successful login
}


// if this listener function is called a communication 
// error occurred
function login_fault(event:FaultEvent):void
{

// run your error handling

}

Keep in mind that your Domino server has very likely a session time out configured and hence once your session is authenticated you need eventually to implement a session keep alive routine that is periodically accessing the server.

No comments:

Post a Comment