Hi jitendra, Thank you for your reply, I'm doing form-based login and different role creation. My doubt is even if I didn't give role , The User who knows my remote methods can call these methods from his client(suppose he created a new GUI with my remote methods). How can I block it?, https also giving secure transmission not blocking to access remote method.
I think more knowledge in session Id could get a solution , because if it is a Struts-J2EE transcation J2EE will check session Id. FlexContext. getFlexSession( ) is a Static method na? , How It can give sessionId for each user? These are my doubts. Regards, Razak --- In [email protected], jitendra jain <[EMAIL PROTECTED]> wrote: > > 1) If you see services-config.xml , following tag > > <channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel"> > <endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure"; class="flex.messaging.endpoints.SecureAMFEndpoint"/> > <properties> > <!--HTTPS requests on some browsers do not work when pragma "no-cache" are set--> > <add-no-cache-headers>false</add-no-cache-headers> > </properties> > </channel-definition> > > > Here the endpoints are secure as they are sent via https protocol. But if the user (client's browser ) no-cache is set, it fails. > > 2) Try to create different roles(Security-roles),. For this u need to read some J2EE stuff. > > 3)Form-Based Authentication is least secured. > > So we can say that upto some extent we can secure our application. But we can't challenge. > Thanks, > > with Regards, > Jitendra Jain > > > > > > ----- Original Message ---- > From: Abdul Razak PM <[EMAIL PROTECTED]> > To: [email protected] > Sent: Saturday, 11 October, 2008 3:04:54 PM > Subject: [flexcoders] Re: How to make an RPC call secure > > > > HI Jitendra, > Thanks for your kind reply, > Let me to explain my question in detail . > suppose I have a small banking application > a)I want ensure user's login > b) user can request a loan > c) admin can approve loan > d) admin can enter payment details etc... > For this I have provided a flex GUI to login , modules to enter loan > request details , approve details, payment details etc.. > I gave the following remote calls and implemented with J2ee > createLoanRequest > searchLoanDetls > approveLoanDetails > changeLoanStatus > insertLoanInstallme ntDetls > Also I gave appropriate menus for user and admin depends on their > privilege. > My doubt is like this > i) Suppose admin logged in the application and doing some > transaction. at the same time some hacker (who understands my remote > methods ) calling some remote methods. trying to change some methods. > It is from a different machine. is it happen...? , commonly J2EE uses > session Id to handle this case, In this case may I need to use > Session(Thanks Jitendra for ur session help). > ii) Have any common method to use a validator for each method call.? > iii) If I'm wrong pls help me with the theoretical reason. > > Regards, > Razak > > > --- In [EMAIL PROTECTED] ups.com, jitendra jain > <jitendra_jain_ 2007@> wrote: > > > > If your question is "when flex calls a java class and within the > java class how > > do I access the associated session", then the code is below and it > is in the > > documentation. The FlexSession class is located in the > flex-messaging. jar. > > > > FlexSession session = FlexContext. getFlexSession( ); > > > > But whats the real question behind your question? what do you want > to load? > > > > If you want to secure your calls then try to read J2EE Specs > > Ã Thanks, > > > > with Regards, > > Jitendra Jain > > > > > > > > > > ----- Original Message ---- > > From: Abdul Razak PM <it-razak@ .> > > To: [EMAIL PROTECTED] ups.com > > Sent: Saturday, 11 October, 2008 9:34:29 AM > > Subject: [flexcoders] Re: How to make an RPC call secure > > > > > > Hi All, > > I'm a newbie in flex, My searches and adobe gives a of links but I > > need to get specified in my topic.. > > Those who are in handling security please give me an answer > > (theoretical) whether a flex GUI with J2EE as server and using > > remoting (rpc)for server call, > > a) In J2EE project we will use session Id to ensure call comes from > > the same user.is it necessary in flex client also? if so how we can > > achieve session Id in client, some example also. > > b) I have a login module in my application, may I need to > > authenticate each of my remote call from flex. > > > > Tom please don't loose my chance to get answer from others who could > > kindly answer to me , even it's blonder... all are not genious like but > > everybody uses google and adobe docs first.. > > > > Regards, > > Razak > > > > --- In [EMAIL PROTECTED] ups.com, Tom Chiverton <tom.chiverton@ ...> > > wrote: > > > > > > On Thursday 09 Oct 2008, Abdul Razak PM wrote: > > > > Please provide some links to study more about it. > > > > > > Is Google and Adobe's docs site broken ? > > > > > > > Also What's the > > > > possibility of Hacking our code if we didn't make it secure? > > > > > > Threat assessment is a whole skill into itself, you'd have to > > explain a lot > > > more about what your service is, who is likely to attack it and with > > what > > > resources. > > > > > > > It's very helpful to get it's theoretical explanations too. > > > > > > Schneier's blog and /Beyond Fear/ book are good. > > > > > > -- > > > Tom Chiverton > > > Helping to quickly leverage third-generation e-commerce > > > > > > > > > > > > ************ ********* ********* ********* ********* **** > > > > > > This email is sent for and on behalf of Halliwells LLP. > > > > > > Halliwells LLP is a limited liability partnership registered in > > England and Wales under registered number OC307980 whose registered > > office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, > > Manchester, M3 3EB. A list of members is available for inspection at > > the registered office. Any reference to a partner in relation to > > Halliwells LLP means a member of Halliwells LLP. Regulated by The > > Solicitors Regulation Authority. > > > > > > CONFIDENTIALITY > > > > > > This email is intended only for the use of the addressee named above > > and may be confidential or legally privileged. If you are not the > > addressee you must not read it and must not use any information > > contained in nor copy it nor inform any person other than Halliwells > > LLP or the addressee of its existence or contents. If you have > > received this email in error please delete it and notify Halliwells > > LLP IT Department on 0870 365 2500. > > > > > > For more information about Halliwells LLP visit www.halliwells. com. > > > > > > > > > > > > > Add more friends to your messenger and enjoy! Go to > http://messenger. yahoo..com/ invite/ > > > > > > > Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/ >
