Flex Security

Similar Messages

• Flex security - RSA implementation?

  Hi all,
  i am developing a client server app, the client is a flex app that communicate with a php server with amf protocol.
  I need some security so i think some possible solution:
  1. using https, but with any "web debugging proxy" anyone can decrypt ssl, so this is not a solution
  2. using an rsa implementation, so if someone read the traffic it wont be a problem, but if someone
       deassemble flex client, can access to the client private key and then the security will go away
  Is there some stuff to securize the communication?
  Thank you

  Hi,
  For security purposes, you would store the private key in the card and perform all private key operations there. One approach could be to store a certificate and the corresponding private key in a java card applet and then retrieve the certificate from the card. You could then send a random number (nonce) to the card and ask it to sign the number. The host application can then verify the signature with the public key in the certificate. The host could also verify the certificate against a certificate authority or a known trust chain.
  The hard part is that you will need to implement this in the applet yourself. You can define a set of APDU's that you could send to the card for specific responses. For instance one command to get the certificate and another to sign some arbitrary data. You would also want a way of injecting the keys (this is the simple less secure approach though).
  With certificates you can use the cryptographic properties to verify that you trust the card and if you do not receive a trusted certificate the program can terminate. Also if the signature is not verified then you could exit as well as the card has not proven ownership of the private key.
  Cheers,
  Shane

• Flash / Flex security

  Hello,
  probably this sounds really silly... however wanted to ask
  just how secure is Flex/Flash? Since it's on the client, a user can
  easily decompile a .swf and modify any variables and pass them to
  the server.. you know like client script to server.
  also is there something that can be done to invalidate the
  application or the .swf once a third party client modifies any
  variables?
  I wanted a 100% confirm.
  Thanks!

  It wouldn't be possible to hijack the SWF bytecode and alter
  it on the fly - it is too complex for that (and if someone can do
  that with an AI of some sort, well, no one is safe). They will have
  to copy the SWF and mess with it, then post it to some domain of
  their own and then the Flash Player will recognize the different
  domains.
  Another thing you can do is have a shell SWF which loads your
  main swf. This is atypical behavior and while it does make a second
  request to the server (which someone can see with a sniffer) you
  can use this to your advantage.
  When you load main.swf into shell.swf, you can ask main.swf
  how many bytesTotal it is. Then you change shell.swf to hold this
  value: var mainSize:int = 654321. Now shell.swf requests main.swf
  and compares main.swf's size against mainSize. If shell.swf sees
  that the values aren't identical, it knows main.swf isn't correct.
  This isn't 100% foolproof, but someone would have to a) know
  you are doing this and b) hack your main.swf in such a way that the
  byte size remains the same. Quite a challenge I think.
  Finally, all security measures are automatic. You can
  override some of them (check the documentation for the
  Security.allowDomain function and others in the Security class).
  One more thing: suppose someone writes their own shell.swf
  and uses it to load your main.swf. Unless they have access to your
  server, they will launch their evilshell.swf from their domain:
  evildoer.com. That becomes the "home" domain for the Flash Player.
  Now they load your swf from yourdomain.com. Since evildoer.com is
  not yourdomain.com, your SWF can request your data, but since the
  home domain is no longer yourdomain.com, there is a security
  violation. The home domain for the Flash Player must be
  yourdomain.com in order to read data from yourdomain.com.
  Anyone loading your swf into their swf also cannot access
  data and functions (see allowDomain) so your information is still
  protected.

• Flash / Flex - security in corprate environment

  we are considering platforms to develop a new project with, flex came up and is very appealing.however, we are dealing with a hosted solution which will be used by companies who'se users will need to download the swf to their browser. Are there any problems that may occur in a company that has strcit security policies that may cause the swf download to fail?
  thanks in advance

  Hmmm... May need to use AIR, or else upload those local
  assets to server then download. Strange but maybe this is
  so.

• Flex security error message

  Ok, so when I pass in a user:pass with the url, it works
  inside Eclipse, HOWEVER when I export my project and run it from
  it's exported location (on my local box and the server), I get the
  following error:
  faultCode:Channel.Security.Error faultString:'Security error
  accessing url' faultDetail:'Destination: DefaultHTTP'
  What does this mean?

  The flash player enforces a variety of security rules. Most
  if not all of these
  are turned off when running from eclipse. One of the rules is
  you are not allowed to access a url from a different domain then
  your flex application swf file was
  served from.
  So you flex app comes from
  http://myserver:8080/MyWeb/myFlex.html
  but you are trying to access
  http://otherServer:9000/something.xml
  So you have two choices:
  Put a crossdomain.xml file in the root of otherServer or
  write a proxy
  for myServer that forwards your requests.
  Look in the doc for the crossdomain.xml format. It's a bit
  vague as to the location. They just say the ROOT of the webServer.
  In tomcat that is in webapps/ROOT other web servers may be
  different. To test
  if your crossdomain policy file is in the correct spot you
  should be able to see the file by entering
  http://otherServer:9000/crossdomain.xml

• Flex Security Questions

  Hi,
  I am new to flex. How can I protect the source code of my written flex application? As we know, there a quite a number of program that can easily decomplie flex to get back the source code such as Sothink SWF Decomplier. How is it possible to prevent people from viewing the source code and then modify it and then even use it to connect to our databases?
  Thanks.

  You can check this too.
  http://www.tokaos.com/swf-encrypt-example.asp
  with Regards,
  Shardul Singh Bartwal

• How to implement springsecurity in flex

  Hi..All
  i'm newbie and need your help
  I have  difficulty in the implementation of security on the flex project using  spring security. in implementation the project i'm using
  BlazeDS Turnkey.
  Apache Tomcat
  Eclipse Ganymede 3.4 (for editing code)
  I've tried to make it but always get an error message
  "[MessagingError  message = 'Destination' securityHelper 'either does not exist or the  destination has no channels defined (and the application does not define  any default channels .)']- could not establish a connection to'  securityHelper'-InvokeFailed"
  and below my source  code
  1. web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
      <display-name>Spring BlazeDS Integration Samples</display-name>
      <context-param>
          <param-name>flex.class.path</param-name>
          <param-value>/WEB-INF/flex/hotfixes,/WEB-INF/flex/jars</param-value>
      </context-param>
      <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>
              /WEB-INF/spring/*-config.xml
          </param-value>
      </context-param>
      <!-- -->
      <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      <!-- Http Flex Session attribute and binding listener support -->
      <listener>
          <listener-class>flex.messaging.HttpFlexSession</listener-class>
      </listener>
      <!-- MessageBroker Servlet
      <servlet>
          <servlet-name>MessageBrokerServlet</servlet-name>
          <servlet-class>flex.messaging.MessageBrokerServlet</servlet-class>
          <init-param>
              <param-name>services.configuration.file</param-name>
              <param-value>/WEB-INF/flex/services-config.xml</param-value>
          </init-param>
          <init-param>
              <param-name>flex.write.path</param-name>
              <param-value>/WEB-INF/flex</param-value>
          </init-param>
          <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
          <servlet-name>MessageBrokerServlet</servlet-name>
          <url-pattern>/messagebroker/*</url-pattern>
      </servlet-mapping>
      -->
      <servlet>
          <servlet-name>flex</servlet-name>
          <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
          <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
          <servlet-name>flex</servlet-name>
          <url-pattern>/messagebroker/*</url-pattern>
       </servlet-mapping>
      <welcome-file-list>
          <welcome-file>index.html</welcome-file>
          <welcome-file>index.htm</welcome-file>
          <welcome-file>index.jsp</welcome-file>
          <welcome-file>default.html</welcome-file>
          <welcome-file>default.htm</welcome-file>
          <welcome-file>default.jsp</welcome-file>
      </welcome-file-list>
  </web-app>
  2. flex-servlet.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:flex="http://www.springframework.org/schema/flex"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="
          http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
          http://www.springframework.org/schema/flex
          http://www.springframework.org/schema/flex/spring-flex-1.0.xsd">
      <flex:message-broker>
          <flex:message-service
              default-channels="my-streaming-amf,my-longpolling-amf,my-polling-amf" />
          <flex:secured />
      </flex:message-broker>
      <!-- Expose the productService bean for BlazeDS remoting -->
      <flex:remoting-destination ref="productService" />
      <!-- Expose the contactService bean for BlazeDS remoting -->
      <flex:remoting-destination ref="contactService" />
      <!-- Expose the securedProductService bean for BlazeDS remoting -->
      <flex:remoting-destination ref="securedProductService" />
      <!-- Helper for getting the currently authenticated user-->
      <bean id="securityHelper" class="org.springframework.flex.samples.secured.SecurityHelper">
          <flex:remoting-destination/>
      </bean>
      <!-- Messaging destinations -->
      <flex:message-destination id="chat" />
      <flex:message-destination id="secured-chat" send-security-constraint="trusted" />
      <flex:message-destination id="simple-feed" />
      <flex:message-destination id="market-feed" allow-subtopics="true" subtopic-separator="." />
      <flex:jms-message-destination id="jms-chat" jms-destination="chatTopic" />     <!-- See configuration of "chatTopic" in /WEB-INF/spring/infrastructure-config.xml -->
      <flex:integration-message-destination id="si-receive" message-channel="toFlex"/> <!-- See configuration of "toFlex" in /WEB-INF/spring/integration-config.xml -->
      <flex:integration-message-destination id="si-send" message-channel="fromFlex"/> <!-- See configuration of "fromFlex" in /WEB-INF/spring/integration-config.xml -->      
      <!-- MessageTemplate makes it easy to publish messages -->
      <bean id="defaultMessageTemplate" class="org.springframework.flex.messaging.MessageTemplate" />
      <!-- Pojo used to start and stop the data feed that pushes data in the 'simple-feed' destination -->
      <bean id="simpleFeedStarter" class="org.springframework.flex.samples.simplefeed.SimpleFeed">
          <constructor-arg ref="defaultMessageTemplate" />
          <flex:remoting-destination />
      </bean>
      <!-- Pojo used to start and stop the data feed that pushes data in the 'market-feed' destination -->
      <bean id="marketFeedStarter" class="org.springframework.flex.samples.marketfeed.MarketFeed">
          <constructor-arg ref="defaultMessageTemplate" />
          <constructor-arg value="stocklist.xml" />
          <flex:remoting-destination />
      </bean>
  </beans>
  3.service-config.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <services-config>
      <services>
          <default-channels>
             <channel ref="my-amf"/>
          </default-channels>
          <service-include file-path="remoting-config.xml" />
          <service-include file-path="proxy-config.xml" />
          <service-include file-path="messaging-config.xml" />
      </services>
      <channels>
          <channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
              <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
          </channel-definition>
          <channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
              <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint"/>
              <properties>
                  <add-no-cache-headers>false</add-no-cache-headers>
              </properties>
          </channel-definition>
          <channel-definition id="my-polling-amf" class="mx.messaging.channels.AMFChannel">
              <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amfpolling" class="flex.messaging.endpoints.AMFEndpoint"/>
              <properties>
                  <polling-enabled>true</polling-enabled>
                  <polling-interval-seconds>4</polling-interval-seconds>
              </properties>
          </channel-definition>
          <channel-definition id="my-longpolling-amf" class="mx.messaging.channels.AMFChannel">
              <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amflongpolling" class="flex.messaging.endpoints.AMFEndpoint"/>
              <properties>
                  <polling-enabled>true</polling-enabled>
                  <polling-interval-seconds>5</polling-interval-seconds>
                  <wait-interval-millis>60000</wait-interval-millis>
                  <client-wait-interval-millis>1</client-wait-interval-millis>
                  <max-waiting-poll-requests>200</max-waiting-poll-requests>
              </properties>
          </channel-definition>      
          <channel-definition id="my-streaming-amf" class="mx.messaging.channels.StreamingAMFChannel">
              <endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/streamingamf" class="flex.messaging.endpoints.StreamingAMFEndpoint"/>
          </channel-definition>
      </channels>
      <security>
          <login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>
          <security-constraint id="trusted">
              <roles>
                  <role>ROLE_USER</role>
                  <role>ROLE_ADMIN</role>
              </roles>
          </security-constraint>
      </security>
      <logging>
          <target class="flex.messaging.log.ConsoleTarget" level="Warn">
              <properties>
                  <prefix>[BlazeDS] </prefix>
                  <includeDate>false</includeDate>
                  <includeTime>false</includeTime>
                  <includeLevel>false</includeLevel>
                  <includeCategory>false</includeCategory>
              </properties>
              <filters>
                  <pattern>Endpoint.*</pattern>
                  <pattern>Service.*</pattern>
                  <pattern>Configuration</pattern>
              </filters>
          </target>
      </logging>
      <system>
          <redeploy>
              <enabled>false</enabled>
          </redeploy>
      </system>
  </services-config>
  4. remoting-config.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <service id="remoting-service" class="flex.messaging.services.RemotingService">
      <adapters>
          <adapter-definition id="java-object"
              class="flex.messaging.services.remoting.adapters.JavaAdapter"
              default="true" />
      </adapters>
      <default-channels>
          <channel ref="my-amf" />
      </default-channels>
  </service>
  5. spring/security-config.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <beans:beans xmlns="http://www.springframework.org/schema/security"
      xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
  <!--
      <http>
          <form-login default-target-url="/secured/secured.html" login-page="/login.jsp" />
      </http>
  -->
      <http>
          <form-login default-target-url="/ZeroToHero.html"/>
      </http>
      <authentication-provider>
          <user-service>
              <user name="john" password="john" authorities="ROLE_USER" />
              <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
              <user name="guest" password="guest" authorities="ROLE_GUEST" />
          </user-service>
      </authentication-provider>
  </beans:beans>
  6. ZeroToHero.mxml
  <?xml version="1.0" encoding="utf-8"?>
  <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" xmlns="*"
      applicationComplete="applicationCompleteHandler()">
      <mx:RemoteObject id="productService" destination="securedProductService" fault="faultHandler(event)"/>
      <mx:RemoteObject id="securityHelperTest" destination="securityHelper" fault="faultHandler(event)">
          <mx:method name="getAuthentication" result="userHandler(event)"/>
      </mx:RemoteObject>
      <mx:Script>
          <![CDATA[
              import mx.messaging.ChannelSet;
              import mx.messaging.channels.AMFChannel;
              import mx.controls.Alert;
              import mx.rpc.AsyncToken;
              import mx.rpc.AsyncResponder;
              import mx.rpc.events.FaultEvent;
              import mx.rpc.events.ResultEvent;
              [Bindable]
              private var user:Object = null;
              private function applicationCompleteHandler():void
                  securityHelperTest.getAuthentication();
                  chat.consumer.subscribe();
              private function userHandler(event:ResultEvent):void
                  user = event.result;
                  if (user != null) {
                      userId.text = user.name;
                      userId.editable = false;
                      password.editable = false;
              private function faultHandler(event:FaultEvent):void
                  Alert.show(event.fault.faultString + "-" +
                  event.fault.faultDetail + "-" +
                  event.fault.faultCode, "Error accessing RemoteObject");
              private function login():void
                  var token:AsyncToken = securityHelperTest.channelSet.login(userId.text, password.text);
                    token.addResponder(
                        new AsyncResponder(
                            function(event:ResultEvent, token:Object = null):void{
                                user = event.result;
                                userId.editable = false;
                                password.editable = false;
                            function(event:FaultEvent, token:Object = null):void{
                                Alert.show(event.fault.faultString, "Login Failed");
              private function logout():void
                  securityHelperTest.channelSet.logout();
                  user = null;
                  userId.text = "";
                  userId.editable = true;
                  password.text = "";
                  password.editable = true;
                  grid.dataProvider.removeAll();       
          ]]>
      </mx:Script>
      <mx:Form>
          <mx:FormItem label="User Id">
              <mx:TextInput id="userId"/>
          </mx:FormItem>
          <mx:FormItem label="Password">
              <mx:TextInput id="password" displayAsPassword="true"/>
          </mx:FormItem>
          <mx:FormItem direction="horizontal">
              <mx:Button label="Login" click="login()"/>
              <mx:Button label="Logout" click="logout()"/>
          </mx:FormItem>
      </mx:Form>
      <mx:Accordion width="100%" visible="{user != null}">
          <mx:Canvas label="Products" width="100%">
              <mx:Panel width="100%">
                  <mx:DataGrid id="grid" dataProvider="{productService.findAll.lastResult}" width="100%" height="100%">
                      <mx:columns>
                          <mx:DataGridColumn dataField="productId" headerText="Product ID" visible="{user != null ? user.authorities.indexOf('ROLE_ADMIN') >= 0 : false}"/>
                          <mx:DataGridColumn dataField="name" headerText="Name" />
                          <mx:DataGridColumn dataField="category" headerText="Category" />
                          <mx:DataGridColumn dataField="description" headerText="Description" />
                          <mx:DataGridColumn dataField="image" headerText="Image" />
                          <mx:DataGridColumn dataField="price" headerText="Price" />
                          <mx:DataGridColumn dataField="qty" headerText="Qty" />
                      </mx:columns>
                  </mx:DataGrid>
                  <mx:Button label="Get Data" click="productService.findAll()"/>
              </mx:Panel>
          </mx:Canvas>
          <Chat id="chat" username="{user.name}"/>
      </mx:Accordion>
  </mx:Application>
  please help me,

  remote-config.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <service id="remoting-service" class="flex.messaging.services.RemotingService">
      <adapters>
          <adapter-definition id="java-object"
              class="flex.messaging.services.remoting.adapters.JavaAdapter"
              default="true" />
      </adapters>
      <default-channels>
          <channel ref="my-amf" />
      </default-channels>
      <destination id="securityHelper">
          <properties>
              <source>org.springframework.flex.samples.secured.SecurityHelper</source>
              <scope>application</scope>
          </properties>
      </destination>
  </service>
  SecurityHelper.as (for calling remote object from client) of my own. and I think this SecurityHelper.as wrong because not return value, and I do  not know how to call a java class SecurityHelper.java
  package com.adobe
      [Bindable]
      [RemoteClass(alias="org.springframework.flex.samples.secured.SecurityHelper")]
      public class SecurityHelper
          public function SecurityHelper()
  SecurityHelper.java
  package org.springframework.flex.samples.secured;
  import java.util.Map;
  import org.springframework.flex.security.AuthenticationResultUtils;
  public class SecurityHelper {
      public Map<String, Object> getAuthentication() {
          return AuthenticationResultUtils.getAuthenticationResult();
  thank's
  Message was edited by: agungdmt

• BlazeDS/Security/Spring/NonBlazeDS/NonSpring/Confusion Oh My

  I'm new to Flex (coming over from the pure JEE world.) One of the first things that is needed for any application is security authentication/authorization. I've been extremely disappointed, though, in the lack of good examples with best practices on how to handle this, or if there is a book that covers it well let me know and I'll purchase it.
  I'm working with BlazeDS at the moment (but not opposed to scrapping it.)
  I have managed to finally get a security setup using blazeds-spring integration working, but their forum is a ghost town so it makes me think that there aren't many people using it. The docs are also extremely vague. Had it not been for some stuff that I was able to pull from these two tutorials by the same author http://www.adobe.com/devnet/flex/articles/flex_security.html#ach-setscr  http://www.gridshore.nl/2009/05/24/integrate-flex-security-in-mate-using-the-spring-blazed s-integration-project/ I would have been completely lost. Even though it's 'mostly' working, so much is unknown to me, and because the reference doc http://static.springsource.org/spring-flex/docs/1.0.x/reference/html/index.html is so short it doesn't cover a lot of what is going on.
  I'm not even 100% certain I want to use Spring though (It seems to actually black-box too much and in some ways overcomplicate things with a lot of configuration), yet I want my application be portable across containers. Where are the examples on the best way to set things up? The blazeds reference doc chapter seems to gloss over a lot, and only confuses me a bit more. I'd like to see some real examples.
  As an example of some things that I'd like to see:
  1) When not using Spring security, where is a concrete implementation of handling authentication and authorization (with/without blazeDS - I just want a good best practice example of how things are handled)?
  2) How are people dealing with session time outs? (user clicking around in application and then they happen to make a server call but their session is gone. Do you simply poll every few minutes to keep the session alive?)
  3) Are people putting up a filter up before the blazeDS filter to check the user's session is valid? If the session isn't valid and you've set up a filter, what happens on the flex side of things if the filter finds an invalid session? It can only redirect for forward so how does it trigger the client flex app that it needs to invalidate its internal storage of an authenticated user and hence needs to redisplay the login page. I know how to set things up in a traditional java web app, but I'm a bit stumped here... I only have one main "FooBar.swf" file, so when the sesison filter realizes the user's session timed out where do I "go" - can I somehow just redirect to the same main page "FooBar.swf" and somehow Flex can be aware that "Hey ok some event happened so I need to invalidate my flex user and present the login page (login component)"
  Thanks for any suggestions/help on what to look at for best practices.

  Hi,
  Did you got any ideas on this one? As a newcomer to Flex/BlazeDS I'd like hear those?
  I'll add my thoughts to the discussion you started.
  2) How are people dealing with session time outs? (user clicking around
  in application and then they happen to make a server call but their
  session is gone. Do you simply poll every few minutes to keep the
  session alive?)
  I check the session in a filter for each request. If there's no valid session, the filter sends a response message to flex app which shows it as a Alert message.I'm not (yet) using blaze, but I don't see why it wouldn't work.
  If you want, you can configure the session timeout in the web.xml of your web app, so no need to poll. It would be nice to get asynchronous event from the server side when the session times out. This requires to use the pub/sub method of blaze or java messaging on a servlet.
  The web.xml of the blazeDS samples has the following lines
  <!-- Http Flex Session attribute and binding listener support -->
      <listener>
          <listener-class>flex.messaging.HttpFlexSession</listener-class>
      </listener>
  To me this indicates that you can define a listener for the session somehow. It would be nice to know more about this.
  3) Are people putting up a filter up before the blazeDS filter to check
  the user's session is valid? If the session isn't valid and you've set
  up a filter, what happens on the flex side of things if the filter
  finds an invalid session? It can only redirect for forward so how does
  it trigger the client flex app that it needs to invalidate its internal
  storage of an authenticated user and hence needs to redisplay the login
  page. I know how to set things up in a traditional java web app, but
  I'm a bit stumped here... I only have one main "FooBar.swf" file, so
  when the sesison filter realizes the user's session timed out where do
  I "go" - can I somehow just redirect to the same main page "FooBar.swf"
  and somehow Flex can be aware that "Hey ok some event happened so I
  need to invalidate my flex user and present the login page (login
  component)"
  Why not just have different swfs? When the session is not valid, redirect to login.html (a wrapper for login component).
  If I have understood correctly, Flex uses HTTP GET method to communicate with the browser. So it might be possible to send parameters to the app after the filter. Also, using java script and external interface might be helpful here.

• Security/session questions

  Hi,
  I have some security/session questions for you guys.
  My application uses flex, blazeds and spring. I use RemoteObjects to initiate calls from flex to java. The application consists of a login screen and 'other screens' available only to authenticated users after login. When the user logs in the server stores user credentials on the FlexContext (FlexContext.getFlexSession().setAttribute). So if the server timeout is reached and the user presses 'refresh' the user is thrown out and the login screen appears.
  Question 1: How can I check if the timeout is reached when the user makes a call to the server, without checking manually against the FlexContext. Are there any config parameters to set?
  Question 2: Is it necesssary to check against the user credentials in the session for every flex-to-server call? (I guess someone can omit the login screen and do a manual call)
  Question 3: If the answer to question 2 is yes, how can I check against the session credentials? The only way I can think of is calling a method which checks the session attribute manually, but then I have to remember to add this method call to each of the methods called from flex through Blazeds. Is it, for example, possible to call the user-logged-in method before the method given in the RemoteObject is called? (If not authenticated, do not run method).
  Hope someone got the time to help me out.

  I appreciate your answer, but as you yourself write, I think there must be a blazeDS way. But as nobody with extensive BlazeDS knowledge answers this post, I probably have to google this topic even more.
  Following are the main changes in my application: (Introducing spring security)
  Everything seems to be working as it should. But as already stated, I'm a newbie. So if anybody see something suspicious, let me know.
  The main problem I had implementing Spring Security was something that should be easy, but somehow it was not: the loading of the context files. Before introducing the spring security I only had one application-context file, and this was loaded by the DispatcherServlet. When introducing security I tried to add this to the same file. It did not work. Then I tried splitting up the files, and loading both using DispatcherServlet. It did not work. Then I tried loading both using ContextLoaderListener. It did not work. Finally I found the solution. Flex settings must be loaded by the DispatcherServlet, and spring security settings must be loaded by ContextLoaderListener. This work. I don't know if this is the only solution.
  On the server:
  web-xml:
  <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>
              /WEB-INF/config/web-application-config.xml
              /WEB-INF/config/web-application-security.xml
          </param-value>
      </context-param>
      <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      <servlet>
          <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
          <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
          <init-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>/WEB-INF/config/flex-application-config.xml</param-value>
          </init-param>
          <load-on-startup>1</load-on-startup>
      </servlet>
  flex-application-context:
  <flex:message-broker>
          <flex:secured/>
      </flex:message-broker>
  web-application-context:
  I had to implement my own authentication mechanism. Had to compare the username/password against an object attribute. So this bean is not mandatory, but I think you have to write down username/password/role in flex-application-context if not provided.
  <bean id="customAuthenticationProvider" class="packagename.CustomAuthenticationProvider">
          <security:custom-authentication-provider/>  
  </bean>
  web-application-security:
  <http entry-point-ref="preAuthenticatedEntryPoint" />
      <beans:bean id="preAuthenticatedEntryPoint"
          class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint " />
      <!-- Securing the service layer -->
      <global-method-security>
          <protect-pointcut expression="execution(*package.ServiceImpl.*(..))" access="ROLE_USER"/>
      </global-method-security>
  On the client:
  private function login():void {
      var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
      var token:AsyncToken;
      token = cs.login(username, password);
    // Add result and fault handlers.
    token.addResponder(new AsyncResponder(loginResultHandler, loginFaultHandler));
  private function logout():void {
      var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
      var token:AsyncToken = cs.logout();
    // Add result and fault handlers.
    token.addResponder(new AsyncResponder(logoutResultHandler, logoutResultHandler));

• Flex Application Hosting issue unable to access webservice from another machine

  Hi all,
  I am having a flex application which is using webservice of the asp.net.When I host this application on the machine in which the webservice is present then it works fine.But when I am hosting the application on the another machine then the webservice is not being called.If any body have any idea pls suggest.
  Thnx in Advance,
  Shardul Singh Bartwal

  You may need a crossdomain.xml file. Flex security does not allow your SWF to access data on other domains without it.
  In this case even mysub.myCompany.com is considered a different domain from www.myCompany .com.
  These links should help you understand:
  http://livedocs.adobe.com/flex/3/html/help.html?content=data_6.html
  http://livedocs.adobe.com/flex/3/html/help.html?content=deployingoverview_12.html
  http://livedocs.adobe.com/flex/3/html/help.html?content=security2_03.html
  http://livedocs.adobe.com/flex/3/html/help.html?content=security2_04.html
  If this post answers your question or helps, please mark it as such.

• AlivePDF HTTPS

  I trying to understand an issue I am having with a Flex
  builder 2 application and AlivePDF over https. I first programmed
  the application on a non-ssl connection and everything works just
  great. I then moved to migrate the application to a https
  environment and ran into some minor crossdomain.xml security issue
  but was able to resolve all but one problem: I am using AlivePDF to
  create a dynamic sign which creates a bytestream and passes it
  along to a php script that send it back as a pdf file. See attached
  script. I have yet to be able to tie this to flex security issue
  but do not want to rule anything out until I find a resolution. I
  need the expertise of this forum to help me out because at best I
  am a moderately skilled flex programmer and hope I can come to a
  speedy resolution. Thanks for any assistance.

  Hi,
  Thank you for posting.
  In order to resolve the isuse, please add
  https://printables.hpconnected.com
  to the trusted sites in Internet explorer.
  To do so, please click on the Gear icon in the top right hand cornere of the internet explorer and click on Internet Options. In eth internet Options window, please click on Security and then click on Trusted sites and click on sites and add
  https://printables.hpconnected.com and click on Ok. then delete the temporary internet files and cookies and thy to access.
  Say "Thanks" by clicking the Kudos Star in the post that helped you.
  Please mark the post that solves your problem as "Accepted Solution"
  (Although I am employed by HP, I am speaking for myself and not for HP)

• Is it possible to call web services in adobe connect application?

  I have facing one security issue  in adobe connect
  Error Description is "Security error accessing url
  Unable to load WSDL. If currently online, please verify the URI and/or format of the WSDL (http://xxxxxx/WebService.asmx?wsdl)"
  Is it possible to call web services in adobe connect application?
  Thanks and regards
  Selvan

  OK, so it's a plain Flex security issue, not related to the Connect application, probably due to crossdomain misconfiguration.
  Please read http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html and http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html
  You may want to ask for help in the proper Flex forum. Also, download Tour de Flex and look at the example under "Flex Data Access3 -> "WebService".
  Try also to look at this thread http://forums.adobe.com/thread/223999

• Using HTTP Services with SSL using Internet Explorer

  Hello,
  Basically what's happening is that the secure services aren't
  loading when I pull up the website when using Internet Explorer.
  The website works perfect in FireFox and Safari however nothing
  loads via the HTTP services when they use SSL. I've read over Lin
  Lin's article
  http://weblogs.macromedia.com/lin/archives/flex/security/index.cfm
  about using SSL with IE however I'm confused as how to implement
  the changes she mentions. She basically mentions a couple of the
  reasons why the httpServices wouldn't be able to load data in when
  connecting via SSL. I've read over the Adobe TechNote at
  http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=fdc7b5c&pss=rss_flashplayer_fdc7b5 c
  but this wasn't clear either.
  1. How do I change the server settings to have the correct
  header information?
  2. Can I change something in the Flex Compiler to allow for
  SSL and IE?
  This works perfect in FireFox and Safari and retrieves data
  with no problems. Any ideas, information would be appreciated.

  Hello,
  Basically what's happening is that the secure services aren't
  loading when I pull up the website when using Internet Explorer.
  The website works perfect in FireFox and Safari however nothing
  loads via the HTTP services when they use SSL. I've read over Lin
  Lin's article
  http://weblogs.macromedia.com/lin/archives/flex/security/index.cfm
  about using SSL with IE however I'm confused as how to implement
  the changes she mentions. She basically mentions a couple of the
  reasons why the httpServices wouldn't be able to load data in when
  connecting via SSL. I've read over the Adobe TechNote at
  http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=fdc7b5c&pss=rss_flashplayer_fdc7b5 c
  but this wasn't clear either.
  1. How do I change the server settings to have the correct
  header information?
  2. Can I change something in the Flex Compiler to allow for
  SSL and IE?
  This works perfect in FireFox and Safari and retrieves data
  with no problems. Any ideas, information would be appreciated.

• Sandbox violation when accessing sockets

  Here is my code:
  flex:
  Security.loadPolicyFile("http://localhost/ufd/crossdomain.xml");
  crossdomain.xml
  <?xml version="1.0"?>
  <cross-domain-policy>
  <allow-access-from domain="http://localhost"/>
  <allow-http-request-headers-from domain="192.168.1.12/ufd" headers="Authorization"/>
  </cross-domain-policy>
  I am getting an error connecting to a socket that runs on 92.168.1.12
  Please help.

  Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: http://ufddb-02/ufd/Golf.swf cannot load data from ufddb-02:8001.
  atGolf()
  at_Golf_mx_managers_SystemManager/create()
  atmx.managers.systemClasses::ChildManager/initializeTopLevelWindow()
  atmx.managers::SystemManager/initializeTopLevelWindow()
  atmx.managers::SystemManager/http://www.adobe.com/2006/flex/mx/internal::kickOff()
  atmx.managers::SystemManager/http://www.adobe.com/2006/flex/mx/internal::preloader_completeHandler()
  atflash.events::EventDispatcher/dispatchEventFunction()
  atflash.events::EventDispatcher/dispatchEvent()
  atmx.preloaders::Preloader/timerHandler()
  atflash.utils::Timer/_timerDispatch()
  atflash.utils::Timer/tick()

• Configure remote-config for calling java class

  Hi...all
  i'm newbie, i got trouble for configure remote-config in flex project
  how to configure remote-config.xml, if i have java class like below
  package org.springframework.flex.samples.secured;
  import java.util.Map;
  import org.springframework.flex.security.AuthenticationResultUtils;
  public class SecurityHelper {
      public Map<String, Object> getAuthentication() {
          return AuthenticationResultUtils.getAuthenticationResult();
  please help me.....i'm newbie and wanna learnin
  thanks

  Hi,
  May be this could be of good help to you
  http://livedocs.adobe.com/blazeds/1/blazeds_devguide/
  Thanks,
  Balaji