Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Authentication works but not Authorization with Custom Tomcat Login


Level 3


I am following the steps mentioned in LCDS guide on setting up Tomcat (6.0.33) login. The configuration file details are mentioned below... Based on that, my observation is that the user "tomcat" and "rupak" can login successfully. However the remotingService called AdminControlService has security constraint of trustedAdmin and the user rupak or tomcat dont have the roles of twsadmin but the login is successful on amfChannel for these users while I expect it to fail because of the security constraint of trustedAdmin associated with it.. The security constraint trustedAdmin only defines roles for twsadmin so ideally any user that does not have this role should fail login. What am I missing?




  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="twsadmin"/>
  <role rolename="twsuser"/>

  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
  <user username="rupak" password="pwd123" roles="twsuser"/>



       <login-command class="" server="Tomcat"/>       
        <security-constraint id="trustedAdmin">

        <security-constraint id="trustedUser">

        <service id="AdvancedMessagingSupport" class="">
            <default-security-constraint ref="trustedUser"/>

        <service-include file-path="remoting-config.xml" />
        <service-include file-path="proxy-config.xml" />
        <service-include file-path="messaging-config.xml" />
        <service-include file-path="data-management-config.xml" />
        <service class="" id="model-deploy-service">
            <!--default-security-constraint ref="trustedUser"/-->
           <channel ref="my-rtmp"/>






<service id="remoting-service"

        <adapter-definition id="java-object" class="" default="true"/>

        <channel ref="my-amf"/>

    <destination id="AdminControlService">
            <security-constraint ref="trustedAdmin"/>


mxml & ActionScript



  <s:RemoteObject id="adminService"










AMFURL = http://<ip>:<HTTPport>/MyServer/messagebroker/amf

rtmpChannel.addChannel(new RTMPChannel"CustomRTMP", RTMPURL));

amfChannel.addChannel(new  AMFChannel("myCustomAMF",AMFURL))

adminService.channelSet = amfChannel;



private function login(username:String, password:String):void
    //login to RTMP channel
    if(rtmpChannel.authenticated == false){
     token = rtmpChannel.login(username, password);    
     token.addResponder(new AsyncResponder(RTMPLoginResultEvent, RTMPLoginFaultEvent));

  if (amfChannel.authenticated == false)


    tokenAMF = amfChannel.login(username, password);

    tokenAMF.addResponder(new AsyncResponder(AMFLoginResultEvent, AMFLoginFaultEvent));



3 Replies



Hi Rupak,

Logging using a channelset (in your case, "rtmpChannel" / "amfChannel"), the user is simply authenticated using the registered Login Command. The actual user authorization check is not done until the actual call to the destination is made. Even though you have assigned the channelset to the remote object, the ChannelSet.login does not use the associated remoting destination. Only when you actually invoke the actual remoting destination, will the actual user authorization be done.

Quoting from documentation at

When a FlexClient tries to log in, LoginCommand.doAuthentication() is called and returns a Principal that is set on the FlexSession object for subsequent requests. Next, as a Flex client tries to call the destination, LoginCommand.doAuthorization is called for each request.

Hope that helps.



Level 3

When I invoke the remoting destination, I get the following message... Note my client is AIR application..

[RPC Fault faultString="Detected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly." faultCode="Server.Processing.DuplicateSessionDetected" faultDetail="null"]

After a few restarts of the server, I start getting the correct response upon invoking the remoting destination i.e.,

[RPC Fault faultString="Access denied. User not authorized." faultCode="Client.Authorization" faultDetail="null"]

dont know why it is behaving correct now..



Hi Rupak.    

Firstly, from your response above, it seems like the original problem (of not carrying out authorization during login) described in the post has been answered/addressed.

As regards the new problem of getting duplicate session issue, there could be multiple reasons why could this happen. Most of them are:

1. Cookies have been disabled in the browser.

2. Your app ends up making multiple requests to the Data Services server, before actually the session for the first request got created.

3. You are using a load balancer to process requests on the server side. In that case, you need to ensure that request gets always processed by the same node.

I would recommend, you go over my colleague Alex's blog at:

Hope that helps!