Oh well, that turned out to be pretty messy First I got worried as the doc states
The FileReference and FileReferenceList classes also do not provide methods for authentication. With servers that require authentication, you can download files with the Flash® Player browser plug-in, but uploading (on all players) and downloading (on the stand-alone or external player) fails. On this and other sites I did however find users that got it working. The trick (with Tomcat) is to "just" add the servlet's jsessionid stored in the cookie also on the FileReference's url. One has a few choices to get the sessionid into flex. In my case that was easy, because I am sending xml back and forth anyway I just added the sessionid to the reply the servlet sends when the login succeeds. The servlet request has a getter to get hold of it (getRequestedSessionId) Whenever one wants to upload something, append the sessionid to the request url. Something like urlRequest=new URLRequest(_servletUrl + servicePath + ";jsessionid=" + _sessionId ); Note the semicolon - this is not a url parameter. That first did not work in my case because Flex kept on sending some session cookie with the upload request and the server therefore ignored the jsessionid on the url. Weirdly that cookie was not stored in the browser and no matter how hard I tried to clean up the browser's caches, it kept being there. Obviously (but not for me at 2am) it is the flash/flex runtime that has its own session/cookie cache. Quitting the browser (and the flex runtime) is what finally got it going. All in all this is an ugly situation. It would help to document this in the flex doc (assuming this is a "supported" approach) and browser consistency would have helped as well....a first blow to my hopes of escaping cross browser problems by switching to flex/flash. Anyway, perhaps a next reader finds this useful. Peter --- In flexcoders@yahoogroups.com, "pgp.coppens" <[EMAIL PROTECTED]> wrote: > > Flex fans, > > I am struggling with the following scenario > > 1. Use an HTTPService POST to authenticate to a servlet backend (works > fine) > 2. Use HTTPService requests to the same server and rely on previous > authentication (works fine) > 3. FileReference.upload with IE also picks up the same session cookie > and thus uses the authenticated (and authorized) session. With Firefox > or Opera however, a FileReference.upload request does not seem to pick > up the same JSESSIONID cookie and therefore fails as it is not > authenticated/authorized. > > Does anyone know how to deal with this? How should one normally use a > FileReference.upload to a servlet server that requires authentication? > > Any help or guidance warmly welcomed! > > Peter >