Hello I feel your pain. Just recently we struggled through the same issues. One needs to get very creative to get some real HTTP support out of Flex and/or the browser plugins. There is no way to talk to some "generic http/rest" server with Flex (perhaps 4 is better, have not tried)
The nice thing is that writing this Tomcat filter will proof to be peanuts once you start with it and it does make a lot possible without having to change your application logic. To conclude...you are not missing something obvious as far as I know...that just the way Flex has been working for as long as it exists Peter On 04 Jun 2010, at 16:38, alwayslearningnewstuff wrote: > Hi all, > > I'm building a Flex client for a fully-authenticated server with a REST-like > API. All communication with the server will be over SSL/TLS. All requests > must be authenticated. What I've discovered, by Googling around and by trying > my own code, is that Flex makes things very, very difficult for such a > client. The problems all center around the fact that my Basic Auth headers > get removed. > > The only way I've found to get my headers over to the server is by: > > * Switching from using HTTPService to URLLoader (the former seems to strip > all headers, no matter what) > > * Changing all my GET's to POST's (because headers are always stripped from > GET requests) > > * Adding a dummy body to my POST's so that they don't get turned back into > GET's (why, for God's sake?) and have their headers stripped. > > I also need to upload files --with authentication. Headers are stripped from > FileReference.upload() calls also. I'm aware of this bug: > https://bugs.adobe.com/jira/browse/FP-1044 It appears that a fix is in the > works, which is encouraging, but it completely baffles me that this issue has > been ignored for so very long. > > I also need to display images in my client that are served by my server > --with authentication. I have have mx:Image elements with "source" properties > bound to URL's that point to my server. I know of no way to turn these > implicit GET requests into POSTs and to then somehow insert my authentication > header into them. > > At this point I'm really feeling beaten down by how difficult this all is. > Does nobody else write clients for authenticated servers? This seems so > basic. I've been a fan of Flex for years, but this is causing me to question > whether it's ready for real-world RIA's. > > I'm now considering something desperate like trying to write a Tomcat filter > that looks for credentials in a URL parameter and manufactures an > Authentication header. I don't know Tomcat well, so I'm not sure whether > filters can run before authentication is done. If that works, though, I can > go back to using my GET requests and solve my problems with upload and image > rendering. The fact that we use SSL/TLS would save us here, since the URL > parameters containing the credentials would be encrypted along with > everything else. > > Somebody please tell me that I'm missing something obvious. > > Thanks much > >