RE: [flexcoders] Re: Questions About Services Security

[Matt Chotin]

OK, the gateway itself does not support IP filtering.  I think you would need to use some other mechanism to protect the gateway itself.  That gateway by default is http://yourserver:yourport/flexdir/amfgateway.  You could probably create some sort of servlet filter that validates the IP and then pass the request along to the gateway afterward.   Matt   From: flexcoders@yahoogroups.com [mailto:flexcoders@yahoogroups.com] Sent: Monday, April 25, 2005 1:53 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Questions About Services Security   This is a bit confusing to me, but I understand when you say it has to use AMF, unless exposed as a SOAP. I guess my question then is.  If you use the Flex proxy remoteObject gateway (as right now I actually call a different AMF gateway for all my AMF calls), can you restrict domain/ip access in the flex-config.xml? I have a PHP amf gateway setup now, and anybody could hit the remote gateway if they new the URL.  I was wondering if using the Flex's proxy remoteObject gateway by only accessing Java remote objects on the server, would I achieve a situation where it was impossible for outside people to make requests on the Flex remoteObject gateway? Does that make sense? --- In flexcoders@yahoogroups.com, Matt Chotin <[EMAIL PROTECTED]> wrote: > If you want your Flex app to communicate with a Java class you must use AMF > unless you expose it as a SOAP service.  I'm not sure how you were intending > on reaching it without AMF? > >  > > When you do use AMF you are restricted to classes that are available to the > web application in which Flex is running (or more accurately your amf > gateway).  We have the whitelist in flex-config.xml which gives you more > control over which classes can be accessed. > >  > > Matt > >  > >   _____  > > From: flexcoders@yahoogroups.com [mailto:flexcoders@yahoogroups.com] > Sent: Monday, April 25, 2005 11:08 AM > To: flexcoders@yahoogroups.com > Subject: [flexcoders] Questions About Services Security > >  > > > I want to use RemoteObject that invokes a Java class. (not AMF, > HTTPService, or SOAP). > > Question 1, are the Java classes restricted to the same server as > Flex? (besides some funky network share i mean). > > Question 2, Using RemoteObject to Java classes (not AMF) do I gain the > security that only mxml's from the same domain (or allowable domains > through domain.xml and flex-config.xml) can access the Java class? > > Thanks for any answers to these questions or any other insights to > Security in regards to RemoteObject Java classes. > > I do understand about HTTPS, I am more concerned about easy access to > Remote calls. > > > > > > >   _____  > > Yahoo! Groups Links > > *      To visit your group on the web, go to: > http://groups.yahoo.com/group/flexcoders/ > <http://groups.yahoo.com/group/flexcoders/> >   > *      To unsubscribe from this group, send an email to: > [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> >   > *      Your use of Yahoo! Groups is subject to the Yahoo! > <http://docs.yahoo.com/info/terms/>  Terms of Service. Yahoo! Groups Links To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/   To unsubscribe from this group, send an email to: [EMAIL PROTECTED]   Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.