Hi Tom, We are a public facing application, so no HTTPS and no authenticated services... Thank you very much for the "method-access-level" parameter of the service XML file, this is exactly what I was looking for.
So to resume... To secure your ColdFusion service CFCs for Flex 2 only : 1. Put a cross-domain.xml policy file in your web root, with the parameter <allow-access-from domain="*.yourdomain.com" /> So that, only swf served by your domain can call your services and load your data. 2. In your WEB-INF/flex/services-config.xml, change the parameter <method-access-level>remote</method-access-level> to <method-access-level>public</method-access-level> And use access="public" in your service CFCs, so that your service CFCs can only be called by the flex2gateway and not by webservice calls. Have fun! Benoit Hediard -----Message d'origine----- De : [email protected] [mailto:[EMAIL PROTECTED] De la part de Tom Chiverton Envoyé : mercredi 26 juillet 2006 10:18 À : [email protected] Objet : Re: [flexcoders] Securing coldfusion remoting services for flex 2 On Tuesday 25 July 2006 15:58, Benoit Hediard wrote: > What are the best practices to secure coldfusion remoting services for > Flex2? I've been trying to get them to run over HTTPS for a start, with no luck so far :-( > On the flash/flex side, we haved configured the cross domain policy > file on our server, so that only swf served by our domain can call our services. > That's fine. We've used Apache (as a front end proxy via mod_jrun) to lock things down to specific IP adress', and if you don't mind a login prompt you can use HTTP basic/digest protection too. > Is it possible to allow only flex remote object calls on our services? > That would solve the issue. What you could do is tweak the services XML file so that public methods can be invoked by Flash over remoteing, and not have any 'remote' methods in your CFCs. > Any suggestions? Consider using named destinations, one per CFC, rather than the default '*'. -- Tom Chiverton **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ------------------------ Yahoo! Groups Sponsor --------------------~--> Yahoo! Groups gets a make over. See the new email design. http://us.click.yahoo.com/WktRrD/lOaOAA/yQLSAA/nhFolB/TM --------------------------------------------------------------------~-> -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
