Yes you are right.. It is a static method and returns the Session for the current request. so you can use getId method of this class.
Moreover if you think of calling the remote methods from other GUI is not possible because they are in .class files. However flex sends the remote method as a string (AMF)to the servlet(I guess) and Servlet converts those into the actual calls. This link will help you how the message is converted: http://livedocs.adobe.com/flex/201/fds2javadoc/flex/messaging/io/amf/ActionMessageInput.html Thanks, with Regards, Jitendra Jain ----- Original Message ---- From: Abdul Razak PM <[EMAIL PROTECTED]> To: [email protected] Sent: Monday, 13 October, 2008 1:06:07 PM Subject: [flexcoders] Re: How to make an RPC call secure Hi jitendra, Thank you for your reply, I'm doing form-based login and different role creation. My doubt is even if I didn't give role , The User who knows my remote methods can call these methods from his client(suppose he created a new GUI with my remote methods). How can I block it?, https also giving secure transmission not blocking to access remote method. I think more knowledge in session Id could get a solution , because if it is a Struts-J2EE transcation J2EE will check session Id. FlexContext. getFlexSession( ) is a Static method na? , How It can give sessionId for each user? These are my doubts. Regards, Razak --- In [EMAIL PROTECTED] ups.com, jitendra jain <jitendra_jain_ [EMAIL PROTECTED]> wrote: > > 1) If you see services-config. xml , following tag > > <channel-definition id="my-secure- amf" class="mx.messaging .channels. SecureAMFChannel "> > <endpoint url="https:/ /{server. name}:{server. port}/{context. root}/messagebro ker/amfsecure" class="flex. messaging. endpoints. SecureAMFEndpoin t"/> > <properties> > <!--HTTPS requests on some browsers do not work when pragma "no-cache" are set--> > <add-no-cache- headers>false< /add-no-cache- headers> > </properties> > </channel-definitio n> > > > Here the endpoints are secure as they are sent via https protocol. But if the user (client's browser ) no-cache is set, it fails. > > 2) Try to create different roles(Security- roles),. For this u need to read some J2EE stuff. > > 3)Form-Based Authentication is least secured. > > So we can say that upto some extent we can secure our application. But we can't challenge. > Thanks, > > with Regards, > Jitendra Jain > > > > > > ----- Original Message ---- > From: Abdul Razak PM <[EMAIL PROTECTED] .> > To: [EMAIL PROTECTED] ups.com > Sent: Saturday, 11 October, 2008 3:04:54 PM > Subject: [flexcoders] Re: How to make an RPC call secure > > > > HI Jitendra, > Thanks for your kind reply, > Let me to explain my question in detail . > suppose I have a small banking application > a)I want ensure user's login > b) user can request a loan > c) admin can approve loan > d) admin can enter payment details etc... > For this I have provided a flex GUI to login , modules to enter loan > request details , approve details, payment details etc.. > I gave the following remote calls and implemented with J2ee > createLoanRequest > searchLoanDetls > approveLoanDetails > changeLoanStatus > insertLoanInstallme ntDetls > Also I gave appropriate menus for user and admin depends on their > privilege. > My doubt is like this > i) Suppose admin logged in the application and doing some > transaction. at the same time some hacker (who understands my remote > methods ) calling some remote methods. trying to change some methods. > It is from a different machine. is it happen...? , commonly J2EE uses > session Id to handle this case, In this case may I need to use > Session(Thanks Jitendra for ur session help). > ii) Have any common method to use a validator for each method call.? > iii) If I'm wrong pls help me with the theoretical reason. > > Regards, > Razak > > > --- In [EMAIL PROTECTED] ups.com, jitendra jain > <jitendra_jain_ 2007@> wrote: > > > > If your question is "when flex calls a java class and within the > java class how > > do I access the associated session", then the code is below and it > is in the > > documentation. The FlexSession class is located in the > flex-messaging. jar. > > > > FlexSession session = FlexContext. getFlexSession( ); > > > > But whats the real question behind your question? what do you want > to load? > > > > If you want to secure your calls then try to read J2EE Specs > > Â Thanks, > > > > with Regards, > > Jitendra Jain > > > > > > > > > > ----- Original Message ---- > > From: Abdul Razak PM <it-razak@ .> > > To: [EMAIL PROTECTED] ups.com > > Sent: Saturday, 11 October, 2008 9:34:29 AM > > Subject: [flexcoders] Re: How to make an RPC call secure > > > > > > Hi All, > > I'm a newbie in flex, My searches and adobe gives a of links but I > > need to get specified in my topic.. > > Those who are in handling security please give me an answer > > (theoretical) whether a flex GUI with J2EE as server and using > > remoting (rpc)for server call, > > a) In J2EE project we will use session Id to ensure call comes from > > the same user.is it necessary in flex client also? if so how we can > > achieve session Id in client, some example also. > > b) I have a login module in my application, may I need to > > authenticate each of my remote call from flex. > > > > Tom please don't loose my chance to get answer from others who could > > kindly answer to me , even it's blonder... all are not genious like but > > everybody uses google and adobe docs first.. > > > > Regards, > > Razak > > > > --- In [EMAIL PROTECTED] ups.com, Tom Chiverton <tom.chiverton@ ...> > > wrote: > > > > > > On Thursday 09 Oct 2008, Abdul Razak PM wrote: > > > > Please provide some links to study more about it. > > > > > > Is Google and Adobe's docs site broken ? > > > > > > > Also What's the > > > > possibility of Hacking our code if we didn't make it secure? > > > > > > Threat assessment is a whole skill into itself, you'd have to > > explain a lot > > > more about what your service is, who is likely to attack it and with > > what > > > resources. > > > > > > > It's very helpful to get it's theoretical explanations too. > > > > > > Schneier's blog and /Beyond Fear/ book are good. > > > > > > -- > > > Tom Chiverton > > > Helping to quickly leverage third-generation e-commerce > > > > > > > > > > > > ************ ********* ********* ********* ********* **** > > > > > > This email is sent for and on behalf of Halliwells LLP. > > > > > > Halliwells LLP is a limited liability partnership registered in > > England and Wales under registered number OC307980 whose registered > > office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, > > Manchester, M3 3EB. A list of members is available for inspection at > > the registered office. Any reference to a partner in relation to > > Halliwells LLP means a member of Halliwells LLP. Regulated by The > > Solicitors Regulation Authority. > > > > > > CONFIDENTIALITY > > > > > > This email is intended only for the use of the addressee named above > > and may be confidential or legally privileged. If you are not the > > addressee you must not read it and must not use any information > > contained in nor copy it nor inform any person other than Halliwells > > LLP or the addressee of its existence or contents. If you have > > received this email in error please delete it and notify Halliwells > > LLP IT Department on 0870 365 2500. > > > > > > For more information about Halliwells LLP visit www.halliwells. com. > > > > > > > > > > > > > Add more friends to your messenger and enjoy! Go to > http://messenger. yahoo..com/ invite/ > > > > > > > Add more friends to your messenger and enjoy! Go to http://messenger. yahoo.com/ invite/ > Connect with friends all over the world. Get Yahoo! India Messenger at http://in.messenger.yahoo.com/?wm=n/
