WS-Security is not supported by Flex out of the box. Has anyone
tackled this, or if not could someone give a high-level view of how
they might accomplish this? I can't seem to create a user in the Adobe
forums to post it to find out if this might be added in upcoming
support point release???
I was asking about the same not so long ago, as I think this is very
important issue to resolve - sooner
or later in *real* app, you will face authorization problem with
webservices.
My thoughts on topic:
1) Manual creation of the SOAP Headers will not work because the token
has a set expiration time based on timestamp, username, password.
Building that logic up in the client app would expose the credentials
in the .swf.
I don't know if I understood you correctly - are you sure about the
exposure?
If the user and password credentials are put by user dynamically at
runtime, are credentials unsafe then?
They are dynamically stored, so you cannot decompile it? Or can you?
We're currently exploring this way, trying to add custom headers to
webservice..
2) Using Axis to create a proxy of the true WS-Secure web service
might be viable, but seems dumb to create a web service wrapper for an
already exposed web service. Plus, my knowledge on the java side is
limited and the googles on Eclipse WTP and doing this haven't yielded
much more than a headache.
I agree, this solution looks bad to me also. Webservices shouldn't be
hidden.
I don't want to promote anything, but ... just don't use Axis for
webservices on java serverside. :)
Try xfire. We are using it in our third project now, and I enjoy the
performance and elegance of this solution. If you want
WTP-like support for Eclipse, try MyEclipseIDE, as it has newest xfire
support bundled and working very well.
3) With the FDS Plugin facet for Eclipse WTP in theory I can code both
java and mxml / as3 into one. If that is the case could I write a
component (SecureWS) to extend mx.rpc.soap.
WebService to add the WSS4J
functionality I'm after. The user / pass parameters would then be
stored as part of the named proxy service on FDS. Everything secure
and connective.
Also something I'd happily share back to the community if I can get
some help on how I'd tackle #3.
We're not using Flex Data Services, just plain WS, but I'd love to help
with mxml/as3 implementation (extending soap) or testing
on clientside, as this is top priority for my current project right now.
--
| Sebastian Zarzycki
Microplan Polska
