Security for deployed Flex Apps

Similar Messages

• Need opinions/links/etc... regarding Oracle security for a custom app

  Okay it's an open ended question but I need some help figuring out what we should be doing.
  We have an old legacy Sybase system written in Powerbuilder which they want to move to a web app. Great! That means we get new toys. Problem, it's a standalone system now being merged into a web system. We're looking at Oracle 10.2 and App Server to run everything. We're not sure about reporting yet.
  Here's my question. What/how is everyone using for user account security? I'll have say 5000 users at different locations in the world. Let's say you have sites A, B and C. I'll ultimately need to be able to allow Mr. Smith at Site A to create info which nobody at site B or C is allowed to see. But then Mr. Smith's manager should be allowed to see all the work done by his people so he technically has visibility to everything at site A regardless if he created it or not. The company VP & Presidents need to see everything from sites A, B and C. (Also possibly allow someone to 'grant' access to another person's info. ie - someone at site A allowing someone at site B to view their info by some interface setting)
  Now there's a second level of sensitivity. Say unclassified, classified and top secret. Each employee, regardless of where they sit in the heirarchy tree above, can only see documents up to their sensitivity level. So someone with classified access can see unclassified and classified items, but not top secret.
  Now I've looked at Oracle row level security and it looks like exactly what I'll need but that means that every user, needs to be a database user? I've never worked with something like that. The only other way I'm aware of doing this, would be have the application developers code all the checks into the system based on user info. That leaves lots of maintenance headaches and we will need a reporting tool so then we have to recreate all that info on the report side as well. (which is actually the way the current standalone system works. One main user to do the connections, then we have a "user table" to check rights, password & so forth).
  Is it unheard of to create a custom app (that's the key, there is no COTS for this), then have all the user accounts be stored as actual Oracle users? For a web app, I'm used to a single user being the "pass through" for any connections to the database then pass that back to the user. Are there any considerations or tricks to integrate Oracle user creation into the system or it's as simple as have the app run the correct sql from an account with the correct permissions?
  How else can this be done or how else is everyone doing it? Any links to info would be great and most appreciated. Stories and how you did it type of info is also real good!
  Thanks.

  Pierre,
  That helped a lot. I ended up ordering one of Tom's recommended books on security. I also was able to find a few examples (once I figured what I needed to be looking for) that got me up and running with a test instance to play with.
  Thank you very much!

• Best webservers for deploying flex application

  Hi,
  I want to deploy flex application in web server.
  I am serching for best and suitable server for deploing flex
  application.
  any info pls.............

  Rule 1: Never use the "Automatically Expose UI Componentes in a New Managed Bean" option, create your bindings manually;
  Rule 2: Rule 1 is always right;
  Rule 3: In doubts, refer to rule 2.
  You may also want to check out :
  http://groups.google.com/group/adf-methodology
  And :
  http://www.oracle.com/technology/products/jdev/collateral/4gl/papers/Introduction_Best_Practices.pdf

• Deploy Flex app

  I'm using FB3 to build and release Flex app. Copy the
  bin-debug directory out of the workspace and change the directory
  name, make a zip file from the directory.
  Upload the zip file to the server and unzip the file.
  FB3 creates a html wrapper for the swf file. Is accessing the
  swf file directly better than going through the HTML
  wrapper?

  This is actually more of a SAP J2EE engine question as there
  may be some set up that it keeping it from accessing the correct
  jar files. I'm not sure how the SAP J2EE works, but it has tomcat,
  the solution might be found here:
  http://forum.java.sun.com/thread.jspa?threadID=487257&messageID=2283292
  The mx4j-jmx.jar probably has your missing files. You can
  download it here (
  http://mx4j.sourceforge.net/)
  and see if that works.

• Flex Hero, how to make a whiteboard for Mobile Flex App in Android platform?

  I had made a whiteboard with the sdk 3.5 for PC, but when i use the same way in the SDK Hero, i can't draw any shape.
  I use a image to draw picture on it, and the   image.source   is   a  Sprite, and when i creat a new shape,  i add it in the Sprite,
  it is worked in the sdk 3.5, but it is not work in the Mobile Flex App.
  can anyone help me?
  Thanks  HamlinXu

  may be i know what happen,  i try to draw shape on  the view,not on the Image, it work.
  i think may be my image does not show on the view, but i have set the visible=true, it is stilll can't see the Image,
  how to make the Image can see in the view?

• Security Exception deploying to App Server with Creator

  I'm trying to deploy a Spring/Hibernate application to the default app server with creator. I'm getting an exception which seems to be related to security settings on the server and the cglib library that Hibernate requires. Below is the full stack trace. Does anyone know what I can do to solve this problem? I had a brief look at the server.policy file but don't know what to modify or if I need to modify it at all.
  When I deploy the .war to Tomcat, I do not receive this exception.
  Thanks!
  Mike
  org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionFactory' defined in ServletContext resource [WEB-INF/applicationContext.xml]: Initialization of bean failed; nested exception is java.lang.ExceptionInInitializerError: null
  java.lang.ExceptionInInitializerError
  at net.sf.cglib.core.KeyFactory$Generator.generateClass(KeyFactory.java:167)
  at net.sf.cglib.core.DefaultGeneratorStrategy.generate(DefaultGeneratorStrategy.java:25)
  at net.sf.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:215)
  at net.sf.cglib.core.KeyFactory$Generator.create(KeyFactory.java:145)
  at net.sf.cglib.core.KeyFactory.create(KeyFactory.java:117)
  at net.sf.cglib.core.KeyFactory.create(KeyFactory.java:108)
  at net.sf.cglib.core.KeyFactory.create(KeyFactory.java:104)
  at net.sf.hibernate.impl.SessionFactoryImpl.<clinit>(SessionFactoryImpl.java:237)
  at net.sf.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:805)
  at org.springframework.orm.hibernate.LocalSessionFactoryBean.newSessionFactory(LocalSessionFactoryBean.java:535)
  at org.springframework.orm.hibernate.LocalSessionFactoryBean.afterPropertiesSet(LocalSessionFactoryBean.java:470)
  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1065)
  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:343)
  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:260)
  at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:221)
  at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:145)
  at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:276)
  at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:317)
  at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.refresh(AbstractRefreshableWebApplicationContext.java:131)
  at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:224)
  at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:150)
  at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:48)
  at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4010)
  at org.apache.catalina.core.StandardContext.start(StandardContext.java:4522)
  at com.sun.enterprise.web.WebModule.start(WebModule.java:241)
  at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:827)
  at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:125)
  at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:147)
  at java.security.AccessController.doPrivileged(Native Method)
  at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:809)
  at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
  at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1279)
  at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1006)
  at com.sun.enterprise.server.WebModuleDeployEventListener.moduleDeployed(WebModuleDeployEventListener.java:160)
  at com.sun.enterprise.server.WebModuleDeployEventListener.moduleDeployed(WebModuleDeployEventListener.java:238)
  at com.sun.enterprise.admin.event.AdminEventMulticaster.invokeModuleDeployEventListener(AdminEventMulticaster.java:918)
  at com.sun.enterprise.admin.event.AdminEventMulticaster.handleModuleDeployEvent(AdminEventMulticaster.java:905)
  at com.sun.enterprise.admin.event.AdminEventMulticaster.processEvent(AdminEventMulticaster.java:427)
  at com.sun.enterprise.admin.event.AdminEventMulticaster.multicastEvent(AdminEventMulticaster.java:139)
  at com.sun.enterprise.admin.server.core.DeploymentNotificationHelper.multicastEvent(DeploymentNotificationHelper.java:288)
  at com.sun.enterprise.deployment.phasing.DeploymentServiceUtils.multicastEvent(DeploymentServiceUtils.java:155)
  at com.sun.enterprise.deployment.phasing.ServerDeploymentTarget.sendStartEvent(ServerDeploymentTarget.java:258)
  at com.sun.enterprise.deployment.phasing.StartPhase.runPhase(StartPhase.java:87)
  at com.sun.enterprise.deployment.phasing.DeploymentPhase.executePhase(DeploymentPhase.java:71)
  at com.sun.enterprise.deployment.phasing.PEDeploymentService.executePhases(PEDeploymentService.java:633)
  at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:361)
  at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:396)
  at com.sun.enterprise.admin.mbeans.ApplicationsConfigMBean.start(ApplicationsConfigMBean.java:702)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:302)
  at com.sun.enterprise.admin.config.BaseConfigMBean.invoke(BaseConfigMBean.java:357)
  at com.sun.jmx.mbeanserver.DynamicMetaDataImpl.invoke(DynamicMetaDataImpl.java:213)
  at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
  at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
  at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
  at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.sun.enterprise.admin.util.proxy.ProxyClass.invoke(ProxyClass.java:54)
  at $Proxy1.invoke(Unknown Source)
  at com.sun.enterprise.admin.server.core.jmx.SunoneInterceptor.invoke(SunoneInterceptor.java:272)
  at com.sun.enterprise.admin.jmx.remote.server.callers.InvokeCaller.call(InvokeCaller.java:38)
  at com.sun.enterprise.admin.jmx.remote.server.MBeanServerRequestHandler.handle(MBeanServerRequestHandler.java:92)
  at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.processRequest(RemoteJmxConnectorServlet.java:69)
  at com.sun.enterprise.admin.jmx.remote.server.servlet.RemoteJmxConnectorServlet.doPost(RemoteJmxConnectorServlet.java:94)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
  at sun.reflect.GeneratedMethodAccessor71.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
  at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
  at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
  at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
  at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
  at java.security.AccessController.doPrivileged(Native Method)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:132)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
  at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:185)
  at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:653)
  at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:534)
  at com.sun.enterprise.web.connector.grizzly.ProcessorTask.doTask(ProcessorTask.java:403)
  at com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:55)
  Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission getProtectionDomain)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
  at java.security.AccessController.checkPermission(AccessController.java:427)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
  at java.lang.Class.getProtectionDomain(Class.java:2074)
  at net.sf.cglib.core.ReflectUtils$1.run(ReflectUtils.java:42)
  at java.security.AccessController.doPrivileged(Native Method)
  at net.sf.cglib.core.ReflectUtils.<clinit>(ReflectUtils.java:40)
  ... 98 more

  Try this:
  //Required permissions for Hibernate
  grant codeBase "file:/path-to-web-project/Creator-project-name/build/web/-"{
  permission java.util.PropertyPermission "*", "read,write";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "getProtectionDomain";
  };Replace path-to-web-project with the path to your project's folder. For example,
  file:/C:/Documents and Settings/localuser/My Documents/Creator/MyCreatorProject/build/web/-

• UNICODE AND SECURITY FOR FLASH DESKTOP APPS

  I'm presently in the development phase of some desktop applications using Adobe Flash to develop rich interactive apps that include games published in AIR for PCs. Given that I intend to commercialize these products, I have the following requests which you may be able to help provide answers to:
  - how do I type texts in unicode characters given that my applications will include texts in my local language of yoruba.
  - how best can I integrate security features into my application such that serial numbers or activation keys are required to run them? This is to help ensure that the apps run on per PC basis. This'll also help ensure timed licensing for users.
  - how best can I obfuscate my swf files so that they are not easily decompiled or viewable by users in my program files or even by software which can expose the source codes? From experience, I have some AIR published desktop apps installed on my PC yet the swf files are viewable from the program files on my harddrive.
  - how can I also protect my ActionScript files from being decompiled?

  same problem with me sir , If you find answer kindly let me know and if i find the solution it will be my pleasure to share it with you !
  Freind, I want to make a flash game ,
  but it should not be a web based it is a desktop based application !
  and the most important part of this is its security .
  I want to do the following things
  1)-I can copy this game on others pc  , but it must be expired after 10 days .
  2)-if someone copy it by any unethical way , it must not be opened on his pc a black screen should come
  i have wathced a game like that .
  I am confused how to make it ,it can be achieved by using flash or i have to make a separate desktop
  application on C#.net or java that can hold this game and take care of security issues .
  Thank you very much

• Setting security for deployment and connections to SSAS

  I've read that SSAS does not offer mixed mode security option as SQL Server does. Does this mean that every user/client desiring to connect via OLE DB must have a domain account? How does one get around this?
  Also what is the tool used to administer SSAS security. There is no option for these in SQL Server Management Studio 2014. I am developing cubes via the BI plug-in for Visual Studio 2012 but I am unable to deploy the .asdatabase packages due to security
  problems. I would appreciate if someone could point me to a good article on SSAS configuration/security. If I could just know the tool to invoke or PowerShell commands I would be good to go.
  Thanks

   Does this mean that every user/client desiring to connect via OLE DB must have a domain account?
  Hi Rmz,
  Microsoft SQL Server Analysis Services relies on Microsoft Windows to authenticate users. By default, only authenticated users who have rights within Analysis Services can establish a connection to Analysis Services. Which no mean that you need
  a domain account to access SSAS database. You can access to the cube using a local window user. This authentication model requires that all users be authenticated by the Windows operating system before they can access data. This the default setting on
  SSAS currently. Here is a article about Secure Deployment (Analysis Services - Multidimensional Data), please see
  http://technet.microsoft.com/en-us/library/bb500226(v=sql.105).aspx
  http://technet.microsoft.com/en-us/library/ms174927(v=sql.105).aspx
  Regards,
  Charlie Liao
  TechNet Community Support

• Other options for deploying standalone apps developed in VB 2005?

  I've managed to deploy an application using CR 10 as shipped with VS 2005 Professional Edition.
  I embedded the reports in the app and created an *.msi file, which my users used to install the SW on their machines.
  Problem is, I have some users who do not have enough privileges on their machine to install my SW.
  I'd like to be able to make the SW available to them (one possibility is having them launch the SW from their machine but have the SW installed elsewhere).  Or, distribute them an executable but not an installer (running the SW isn't an issue; installing it is).
  Any suggestions?
  Thanks!

  You only have two options
  1) the MSI as you are using it now
  2) clickonce deployment.
  Details on ClickOnce deployment as described in the developer help file:
  ClickOnce deployment reduces the time and effort required to deploy Windows Applications across a network. Rather than distribute a separate executable to each individual hard drive, ClickOnce deployment places the executable on a common Web page, from which all users can launch it. As part of the launch process, a copy is retrieved to the user's hard drive that can be used to re-launch the application locally. However, this local copy regularly checks the source executable on the Web page for updates.
  Updates to the Windows Application can be re-published to the web server, and the newer application files are then available to clients. If an older version of the Windows Application opens locally on a client machine, an update dialog box gives the option to check for updates from the web server. ClickOnce deployment is only available for Windows applications that use the .Net 2.0 Framework or later.
  Ludek

• App Server for deploying JDev Apps

  Hello,
  I am trying to find out the app server of
  choice for the apps we develop using
  JDeveloper. I am not quite sure that OAS
  is going to cut it for EJB/Servlet/..
  apps when compared to websphere/weblogic/
  iplanet etc. Can I please get the feedback
  of this forum ?
  thanks
  sanjay
  null

  How Do I Deploy Enterprise JavaBeans to IBM WebSphere?
  http://www.oracle.com/technology/products/jdev/howtos/appservers/deploy_to_websphere.html

• Install Adobe Standard and Pro for deployment with app-v

  I'm currently trying to install adobe 8.2.3 pro and Standard with App-v. The only media I have is 8.0 so I have downloaded all updates from 8.10 through 8.2.3. When I try and Install the MSP files it say's the application can not be found. I'm sure that is because when you install the application it is installed to Q:\adostd80.023. Does anyone know how this is suppose to be done?
  Thanks

  There are also issues with 32 vs 64-bit systems. The latter requires updating your version in general. Generally the initial releases have not worked in the 54-bit environment. There are many driver issues with 64-bit systems and probably should look carefully if 64-bits are needed. The 64-bit system is useful if you are computationally focused, but may not be much of an advantage in standard office environments. Just be careful. If you are installing OFFICE 2010, then you need AAX for PDF Maker compatibility -- prior versions of Acrobat only allow printing from the OFFICE 2010 suite. Some folks have been successful with AA8 on 32-bit Win7 (I have only seen 1 post that would suggest success with 64-bit Win7). Prior versions of Acrobat can be made to work on 32-bit Win7 systems, but require work arounds (i.e., the AcroTray tool that automates the conversion to PDF process fails in Win7). The 64-bit system will probably fail for most of the earlier versions in such cases.
  Realize that you may have to deal with Win8 shortly that has it's own issues.

• Deploying Flex app online

  Dear,
  I'm searching a way out to deploy my flex application online. But still it won't work.
  Does anyone have a tutorial or some info about putting a flex application online, using zend amf?
  If I run everything on my localhost, it works.
  But if I put it online.. I get a Badversion Call.. Or other errors.
  I putted the ZendFramework folder online, in the root of my host and I adjusted the services that have been automaticly created with my sql password, host, username,...
  Thanks

  Most Flex applications are deployed by simply copying the HTML wrapper and SWF file somewhere on the server where the server will respond if that URL is requested. It's just a matter of copying a few files to the server.
  Is it the case that you are not familiar with deploying to J2EE servers in general? I'm not familiar with it, but I thought if you were, then you could just copy the files.
  If this post answered your question or helped, please mark it as such.

• Is it a security concern when Flex app in 2 browser tabs share the same session?

  This is a common senario. Want to hear from the experts here.

  Hi,
  on the ApplicationModule, did you set the locking behavior to optimistic ? For web applications it should be optimistic and not pessimistic, which is the default setting. Select the AM and choose "Configurations" from the context menu. Click edit and select the property tabs. Look for the locking setting, which should be set to "pessimistic if you did not change it before. Just replace the current value with optimistic
  Frank

• Should I learn Fireworks or Builder to Design Flex Apps?

  I need help in making a process decision on how to build Flex
  Apps going forward.
  In the past, we have built the concept for our Flex app in
  Photoshop and sent it over to our development team in India to
  build. The process has been difficult because our engineers are not
  designers and our designers are not engineers. Invariably we spend
  alot of time bridging the gap between whats possible and what we
  want to see in our Apps.
  I want to bring our Design and Dev much closer together and
  essentially take the GUI out of the hands of my Indian Developers
  and let them focus on the backend.
  To accomplish this goal, I will be training my US Design team
  to become either Fireworks Experts or Flex Builder Experts....
  (they are already Photoshop experts) This is where I need your
  help. If you were starting from scratch with a talented design team
  that could learn either tool, which one would you choose to
  accomplish the goal? Does the Fireworks to Flex export create
  crappy code like Dreamweaver thats tough to modify manually? Does a
  "true" Flex developer despise Fireworks-generated code?
  I have read up on the Fireworks>Flash Catalyst>Flex
  Builder Path and dont understand the additional step... is Catalyst
  part of Fireworks and thats how Flex code is developed or is it a
  new code generation engine that does code better than Fireworks
  CS4?
  Thanks in advance.

  I am understanding my question better now... Please read
  below
  I am attempting to remove inefficiencies in my Flex
  development process by re-tooling my design team so that their UI
  and application design output files can be imported directly into
  the developers environment. Essentially, I want designers to
  produce prototypes with working client-side interactions while the
  developers focus on back-end interactions.
  Our current process has a number of throwaways that occur
  during the web application build process: from wireframe, to
  Photoshop, to development using the Photoshop output as a guide for
  development... this last step is often the most mangled because is
  difficult to implement the design exactly as the designer created
  it in Photoshop because designers do not fully understand what is
  possible. I want to remove the steps in-between and have found two
  possible solutions to do this.
  Option 1) Fireworks CS4>Catalyst(Thermo)>Flex4
  SDK>*.SWF
  Option 2) Fireworks>Flex3 SDK>*.SWF
  With Option 1, we would tool up our Designers on Fireworks
  and Catalyst and get our developers on the Flex4 SDK. The output of
  the design/build would be only compatible with Flash10 and the
  stock component library for Flex4 would be limited.
  With Option 2, we would tool up our Designers on Fireworks
  and use the native Fireworks export to Flex 3 (not sure how well
  this works?). The output would be compatible with Flash 9 and the
  stock and aftermarket component library for Flex3 would be rich.
  Do I have this right? Which option would you choose and why?
  Thanks in advance.

• Configuring socket policy for flex apps(with blocked port 843)?

  We have built several flex-based ecommerce apps for a fortune 500 customer of ours, that for various reasons, we need to use sockets to a different domain and requires a socket policy file, but were having trouble configuring our flex apps for deployment in thier enviornment where they are blocking virtually everything except port 80 . The current documentation in in regards to socket policy files and crossdomain files in a non-standard configuration not using port 843 is not providing any useful help to us.
  Here is the scenario:
  Flex apps are served from domain www.a.com in  to users browsers via http. The apps then make socket connections to domain www.b.com:80 where there are php scripts serving json data to the flex apps via port 80 using http(we use sockets because we need to set and read back http headers). The problem is the flex apps cannot make socket connections to the www.b.com domain without errors like below(unless we setup a socket policy server on port 843 of www.b.com, in which case everything works):
  Warning: Timeout on xmlsocket://www.b.com:80 (at 3 seconds) while waiting for socket policy file.  This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.
  Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
  Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com.us/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
  Since we cannot use port  843 for the socket policy file server, we setup the socket policy server on a different ip in the same domain: spf.b.com:80 (using the sample perl code Adobe provides), and per the docs(cited below), use Security.loadPolicyFile("xmlsocket://spf.b.com:80") before we invoke "socket.connect", to supposedly tell the flash player to check there for the socket policy file. The problem, as you can see from the error log, is that the  loadPolicyFile("xmlsocket://spf.b.com:80") is ignored.
  No matter what we do or how we set things up, we cannot get the flash player to recognize the loadPolicyFile(), it always wants to go to the port were making the socket connection on. It is unclear how to properly configure the flex app, socket policy file and crossdomain file for the above scenario. The docs allude to being able to serve  the socket policy file from a different port 80 in the same domain as the socket connection were trying to make, but were having no luck with that.
  ->Can anyone shed some light on how to make this work or what are we  missing/doing wrong? Also, if we can get this to work, are we  stuck with a 3 second delay because this(very large) customer is blocking port 843?
  As an aside,  the documentation for all this is a bit scattered, unclear and contrdictory:
  One document says:(http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_07.html)
  "This warning usually means one of two things: first, that you need to set up a
              socket policy file server on port 843, which is the first location that Flash
              Player checks by default; or second, that you need to provide more explicit
              guidance to Flash Player from ActionScript by calling loadPolicyFile to indicate the location
              of a socket policy file. When you call loadPolicyFile rather than allowing Flash Player to check
              locations by default, Flash Player will wait as long as necessary for a
              response from a socket policy file server, rather than timing out after 3
              seconds."
  Another document says(http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html):
  "If an ActionScript Security.loadPolicyFile() command exists within               the SWF file, then the Flash Player runtime checks that location. Flash Player checks               the destination of the loadPolicyFile() only after it has checked the               master policy file on port 843 for permission to acknowledge other policy               files. If the developer has not specified a loadPolicyFile() command,               then Flash Player checks the destination port of the connection."

  I found the reason why the Flex application was ignoring the socket policy (crossdomain.XML). I have a policy server that listens to port 843 and submits the policy to the Flex client. My policy was getting ignored by the Flex application and I was getting the sandbox security error you were getting. The solution to this problem isto write a null byte right after the policy server sends the policy. I'm using Apache Mina that is wrtten is Java and the null byte is written as follows:
  public void sessionCreated (IoSession session)
          throws Exception
          session.write(_policy);  -- > policy string
          session.write("\u0000"); --> null byte
           //session.close(true); ---> No need to close the session because it is closed by the Flex client after it receives the null byte.
  Now my Flex application can read and accept the policy from port 843 and I'm not getting more security violations.
  Thanks for your reply,
  Alberto