In Adobe Connect there are several ways to accomplish tasks like how to log a user in from your application, make requests, handle responses, and log the user out. The appropriate method depends on your development environment, server configuration, and application design.
Any custom application you write that uses Adobe® Connect™ Web Services functionality or integrates with a third-party system needs to log in a user to Adobe Connect. In its simplest form, the process of logging in calls the login action.
However, the technique for logging in varies according to whether you use cookie management, have a licensed server or a hosted account, and authenticate directly to Adobe Connect or use external authentication. Depending on your environment and server configuration, you might also use combinations of these options.
Cookie management
When a user logs in, Adobe Connect returns a cookie that identifies the user’s session. You need to pass the cookie back to the server on all calls made to the server during the user’s session. Then, when the user logs out, the server makes the cookie expire and you should invalidate it.
In your development environment, you can use a code library that manages cookies for you. The process of logging in and managing a user’s session varies according to whether you use a cookie management library or manage the user’s session yourself.
Licensed server or hosted account
Your organization might have a licensed Adobe Connect server within your firewall, or you may have an Adobe Connect hosted account at Adobe. Either way, you send XML requests over HTTP or HTTPS, but security requirements and the login process vary. If you are a hosted customer, you can use certain parameters with the login action to avoid sending user IDs and passwords over the Internet.
Direct or external authentication
Whether you are a hosted or licensed customer, your application might authenticate directly to Adobe Connect, or you might authenticate users on your own network, set an identifier in an HTTP request header, and send it to Adobe Connect. The login process varies according to whether you use direct or external authentication.
The standard technique for logging a user in to Adobe Connect server uses the login action, passing the user’s login ID and password. This technique works with both HTTP GET and POST requests.
You also need to manage the BREEZESESSION cookie the server returns for each user session. If you use a client-side cookie management library, it is much easier to allow it to manage cookies for you than to manage the cookies yourself. If you do not have such a library, call login with the session parameter, as it is easier and more reliable than setting HTTP header values.
Note:
If you send user passwords to Adobe Connect server, use SSL so passwords are encrypted in transit, even if you have a licensed Adobe Connect server within your own firewall.
Note:
Log in with cookie management is the recommended method of logging in to Adobe Connect server. Log in using the session parameter method does not work when enhanced security is enabled.
-
Allow your cookie management library to manage the BREEZESESSION cookie.
Your client-side library passes the cookie back to the server in a request header on subsequent calls for the remainder of the user’s session. You do not need to set the cookie in the request header explicitly. When the user logs out, the cookie expires.
This method works when enhanced security is not enabled for an Adobe Connect account. If your account has enhanced security enabled, then use the above method to log in with cookie management.
By default, enhanced security is not enabled for the accounts on the hosted system. If you wish to enable it for your account, go to Administration > More Settings, and check Enable Enhanced Security.
If you want to log in directly to an Adobe Connect hosted account or multiple hosted accounts, you still use the login action, but you need to specify an account ID or domain name, in addition to the user’s login ID and password. You can specify a domain name if you want to avoid sending an account ID over the Internet.
With an Adobe Connect hosted account, you cannot use single sign-on or external authentication. You must pass the user’s authentication credentials on the Adobe Connect hosted account, not the credentials for an external network.
Note:
It is important to have SSL enabled on your Adobe Connect hosted account, because you are sending user IDs, passwords, and account information over the Internet to your Adobe Connect account hosted at Adobe.
-
https://example.com/api/xml?action=login&login=joe &password=smith99&domain=acme.adobe.com&session=breezxq66rt43poai3if8
Note:
The instructions in this section apply only to Adobe Connect server.
Your application can use a trusted central server to authenticate users with single sign-on and pass your network’s (here called external) authentication to Adobe Connect server, without explicitly passing an Adobe Connect server user ID and password. (For detailed instructions on how to set up and configure HTTP header authentication, see Adobe Connect Installation and Configuration Guide).
With HTTP header authentication, a user logs in to your authentication server. Once the user is authenticated, you add an HTTP request header that identifies the user, or configure a proxy server to add the header. The authentication filter on Adobe Connect (named HeaderAuthenticationFilter) converts your user identifier to an Adobe Connect login ID and authenticates the user.

External authentication works in addition to standard Adobe Connect authentication. Each user who needs to access Adobe Connect server needs a valid Adobe Connect server login and password.
When you send a login request to Adobe Connect server with an external authentication credential:
The authentication filter intercepts the request and checks for a user on Adobe Connect server with an ext-login field that matches your external credential.
If a match exists, the filter passes your external authentication to Adobe Connect server, and the server logs the user in.
If no match exists, the filter passes the login request to the server, which displays its login page. The user must then log in to Adobe Connect server.
If the user logs in successfully, Adobe Connect server updates the ext-login field in the user’s profile with the external credential from your request. The next time you send a request with the user’s external credential, Adobe Connect server finds a match in ext-login, and the user does not need to log in to Adobe Connect.
If the user does not log in successfully, the user is not allowed access to Adobe Connect server applications, content, or meetings.
-
In [your server directory]/appserv/conf/WEB-INF/web.xml, remove comment tags around the filter-mapping element for HeaderAuthenticationFilter and add comment tags around any other filter-mapping elements:
<filter-mapping> <filter-name>HeaderAuthenticationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- <filter-mapping> <filter-name>NtlmAuthenticationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
-
In the filter element for HeaderAuthenticationFilter, enable the /api/ pattern for request URLs. You have two choices for how to do this:
If your application uses the XML API and any Adobe Connect applications
In the filter element for HeaderAuthenticationFilter, use comment tags to disable the init-param element with a param-value of/api/:
<!-- <init-param> <param-name>ignore-pattern-0</param-name> <param-value>/api/</param-value> </init-param> -->If your application uses only the XML API
Change the filter-mapping element for your filter type to use the URL pattern /api/* instead of /*:
<filter-mapping> <filter-name>HeaderAuthenticationFilter</filter-name> <url-pattern>/api/*</url-pattern> </filter-mapping>Then, in the filter element for your filter type, add comment tags around all init-param elements with a param-name of ignore-pattern-x:
<filter> <filter-name>HeaderAuthenticationFilter</filter-name> <filter-class> com.macromedia.airspeed.servlet.filter.HeaderAuthenticationFilter </filter-class> <!-- <init-param> <param-name>ignore-pattern-0</param-name> <param-value>/api/</param-value> </init-param> ... <init-param> <param-name>ignore-pattern-4</param-name> <param-value>/servlet/testbuilder</param-value> </init-param> --> </filter> -
Handle the BREEZESESSION cookie value returned in the response header. You have two choices for how to do this:
If you use a client library that manages cookies
Allow your library to extract the cookie value, store it, and pass it back to the server on subsequent requests for the user.
If you manage cookies yourself
Extract the value of the BREEZESESSION cookie from the response header. Store it and pass it back to the server in the session parameter of all subsequent actions you call for the same user, as long as the user’s session is valid:
https://example.com/api/xml?action=principal=list&session=breezs7zuepmy9wh2tseuBe sure not to reuse the cookie value when the user’s session ends.
At times, you may prefer to send an HTTP POST request to the server to make sure the data is secure and not visible in transit. In that case, specify the action name and parameters in an XML document.
When you receive an XML response from Adobe Connect, you need to be able to parse it to extract the XML elements you need.
If you are working in a language such as Java™, with an XML parser (such as Xerces or JDOM) installed, you can parse through an XML response, select values from nodes, and then use those values.
-
Write a method that calls one or more actions. Create an instance of the XPath class so that you can use the XPath expressions. Call the actions, read the XML response, and use XPath syntax to select the values you need:
public String scoUrl(String scoId) throws XMLApiException { try { Element e = request("sco-info", "sco-id=" + scoId); if(!(codePath.valueOf(e).equalsIgnoreCase("ok"))) return ""; XPath xpath = XPath.newInstance("//url-path/text()"); String path = ((Text) xpath.selectSingleNode(e)).getText(); e = request("sco-shortcuts", null); xpath = XPath.newInstance("//domain-name/text()"); String url = ((Text) xpath.selectSingleNode(e)).getText(); return url + "/" + path.substring(1) + "?session=" + breezesession; } catch (JDOMException jde) { throw new XMLApiException(PARSE_ERROR, jde); } }
You can also use string pattern matching to check for a status code of ok. A successful action always returns this response:
<?xml version="1.0" encoding="utf-8" ?> <results> <status code="ok" /> </results>
When an API action completes successfully, it returns a status code of ok. If the call is not successful, it can also return any of the following status codes:
no-access
Shows that the current user does not have permission to call the action, and includes a subcode attribute with more information.
no-data
Indicates that there is no data available for the action to return, when the action would ordinarily return data.
too-much-data
Means that the action should have returned a single result but is actually returning multiple results.
When the status code is invalid, the response also has an invalid element that shows which request parameter is incorrect or missing:
<?xml version="1.0" encoding="utf-8" ?> <results> <status code="invalid"> <invalid field="has-children" type="long" subcode="missing" /> </status> </results>When the status code is no-access, the subcode explains why:
<?xml version="1.0" encoding="utf-8" ?> <results> <status code="no-access" subcode="denied" /> </results>All valid values for code, subcode, and invalid are described in status, in the API reference. Your application needs to read and handle status codes and subcodes.
-
Write a method that parses an XML API response for the status code and subcode. This is an example in Java:
private String getStatus(Element el) throws JDOMException { String code = codePath.valueOf(el); String subcode = subcodePath.valueOf(el); StringBuffer status = new StringBuffer(); if(null != code && code.length() > 0) status.append(code); if(null != subcode && subcode.length() > 0) status.append(" - " + subcode); return status.toString(); }
When a user logs out, the user’s session ends, and Adobe Connect invalidates the BREEZESESSION cookie by setting it to null and using an expiration date that has passed. For example, if you call logout on August 29, 2006, you see this Set-Cookie method in the response header, setting an empty cookie value and an expiration date a year earlier:
Set-Cookie: BREEZESESSION=;domain=.macromedia.com;expires=Mon, 29-Aug-2005 22:26:15 GMT;path=/
If you are managing the BREEZESESSION cookie, invalidate the value so it is not reused after a user logs out.