RE: [flexcoders] Security Question

Mon, 07 Aug 2006 06:54:53 -0700

No, no sticker! There probably is limited documentation because:
 
a) there is actually not much to configure
b) since it is based on the J2EE security model, this is already documented with your app server
 
Really you just have to configure your roles in the services-config.xml and then configure your RPC and FDS services to use these roles.
 
When a remote calls comes in and no valid authenticated session exists, the call will be rejected. So even if someone simulates this, it will fail.
 
Dimitrios Gianninas
RIA Developer
Optimal Payments Inc.
 

From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of hank williams
Sent: Monday, August 07, 2006 9:37 AM
To: flexcoders@yahoogroups.com
Subject: Re: [flexcoders] Security Question



On 8/7/06, Dimitrios Gianninas <dimitrios.gianninas@optimalpayments.com> wrote:
My company is releasing its first external facing Flex application it is used by our clients to updates various types of information. Yes someone could create an application to simulate the Flex app, so here are the two things to do:
 
1) run the app under HTTPS - to encrypt all traffic
2) use the role-based security provided by your J2EE server
 

With #2, this means that before any incoming traffic is accepted by flex, the user will have to be authenticated and if it is not, the call is rejected.
 
This is the same for RPC or using FDS.


I sort of assumed both of these, and in the flash version of my apps I do something similar. But particularly with #2 using J2EE security really requires expertise outside the scope of what is described and documented for Flex or FDS. So this really means that out of the box, Flex and particularly FDS is not secure since there are no API's to facilitate this. It would seem to me that support for security would be built into FDS. Interestingly though there is very little (at least as far as I have seen) discussion about this. It just seems that every Flex application is wearing a giant "Hack Me" sticker on its forehead.

Regards
Hank


AVIS IMPORTANT

WARNING

Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent message a été transmis involontairement ou s'il est retransmis sans son autorisation. Si vous n'êtes pas le destinataire visé du présent message ou si vous l'avez reçu par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi que toutes ses pièces jointes, de votre système. La lecture, la distribution, la copie ou tout autre usage du présent message ou de ses pièces jointes par des personnes autres que le destinataire visé ne sont pas autorisés et pourraient être illégaux. Si vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur.

This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender.
__._,_.___

--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com




SPONSORED LINKS
Web site design development Computer software development Software design and development
Macromedia flex Software development best practice

YAHOO! GROUPS LINKS



__,_._,___

Reply via email to