Enforcing security consists of Authentication and Authorization.
Authentication is the part of verifying the users identity. The
application verifies that the user is the person he claims to be.
Authorization is determining whether or not a user has the permission to
perform an action in the application.
Authorization relies on finding security information associated to the identity
of the user. Based on the security information, the application then can grant
or deny permissions.
For custom authentication, Fluorine uses a login command to check a user's
credentials and log a principal into the application server. A login command
must implement the ILoginCommand interface or alternatively inherit from the
FluorineFx.Security.GenericLoginCommand base class.
When the backend authenticates a user the developer's task is to create an IPrincipal
object. The user Principal will be stored in the ASP.NET Cache (sliding expiration
enabled). For subsequent remoting calls this Principal will be used
automatically by Fluorine.
If the Cache expires between remoting calls Fluorine will query internally for
the Principal object. To accomplish this cookies must be enabled on the client
side as Fluorine encripts the credentials and stores them into a cookie.
For details on .NET Framework role-based security support please read Principal and Identity Objects in the MSDN library.
In the Flash code you use setCredentials method which will set the credentials on the connection object.
Call AbstractService.setCredentials (base class for the RemoteObject class)
When credentials are received the gateway calls
ILoginCommand.DoAuthentication that must authenticate and obtain the user's role membership details.
Fluorine will wire up the resulting object in the HttpContext.User and Thread.CurrentPrincipal
properties.
To logout the current user use ILoginCommand.Logout in a service class method.
Call AbstractService.logout (base class for the RemoteObject class)