A while ago, Ray blogged a series on using securing Flex using remote credentials and CFLogin.

I don't think I've ever actually used CFLogin in a production application, but I'm going to: when combined with a session facade and ColdSpring, it starts to turn into a really slick (but somewhat complicated) way to secure Flex applications. Chris Scott got me started thinking about this at the Frameworks Conference last week, and I've just implemented it inside an app I'm working on, and I can already see it saving me massive time down the road. Putting it together:

CFLogin

It's nobody's favorite. I'm not using <cfloginuser> or the roles bits: just the "cflogin" scope as it's passed from Flex when remote credentials have been set on a RemoteObject instance. We'll see where it plays in in just a moment...

SessionFacade

Requests made to CFCs via Flex maintain session. However, server-side session is a different concept in a Flex app: instead of being used to save data between page requests, it can be used to maintain data, for a given amount of time, between requests to your application's services.

Why bother with this when remote credentials can be passsed with each request from Flex? Well, this app's login process isn't the speediest, and I don't want to do it on each request to the server: I need to cache logged in users. Session's a good place to do that.

My session facade, at the moment, just provides one method:

When a user logs the authentication service does something like this:

Back on the Flex end of things, when a login attempt is successful, the user's username and password are set as the remote credentials on all of my service objects:

Now, back on the server side, inside of the session facade, I can add code to reestablish the "session" if it's timed out:

Bingo. Now I can combine RemoteCredentials with a SessionFacade to both cache the current user (eliminating the need to reauthenticate on each request) as well as transparently re-establish the current user if they've left the application sitting open for hours and their session has timed out.

AOP

I've got this handy object on the server side (SessionFacade) that'll always return (re-authenticating if necessary) the current user.

I also have a collection of services that need to be secured at various points. I'd like to be able to apply security code, checking things like authentication and if the user is a "system administrator" at will.

AOP lets me do that. To sum it up nicely, I can write "advice" CFCs, named things like UserMustBeAuthenticatedBefore or UserMustBeSysAdminBefore. Then, using ColdSpring XML, I can instruct the application to run this advice, at will, before running certain messages. For instance, I can tell the application to run the UserMustBeSysAdminBefore advice before running the DoSomethingReallyDestructive() method on a given service.

For a full tutorial on ColdSpring AOP, see Chris Scott's ColdSpring AOP Tutorial.

Conclusion

I found a use for CFLogin :). I can combine its end of RemoteCredentials with a ServiceFacade to allow transparent caching of user objects, in session, on the server side. Then, I can write AOP advice (making use of this facade to get the current user) that checks credentials without modifying my service tier.

Big thanks go to Chris, Dave, Sean, and Kurt for all their work on ColdSpring!