You make use of the HTTP sessions for RemoteObject too. Just make sure you're communicating with the server over secure HTTP, such as mx.messaging.channels.SecureAMFChannel (which posts binary AMF over HTTPS). Cookies are sent on subsequent requests to maintain your session.
You have two options for securing your RemoteObject endpoint.... 1.) Assuming you're using LCDS 2.5.1 or BlazeDS Beta as your server for now, you can either lock down the message broker servlet URL or some sub-path of this in your /WEB-INF/web.xml with BASIC authentication. Note that this has the disadvantage of locking down all requests to a particular endpoint and it presents an HTTP Basic challenge dialog to the user outside of the Flash Player. 2.) Or you can rely on custom authentication and lock down your endpoint (or individual destinations) with a <security-constraint> in /WEB-INF/flex/services-config.xml (or in an individual destination config in /WEB-INF/flex/remoting-config.xml) - for which you use the setCredentials() API on RemoteObject to send credentials to the message broker. With this approach you have finer control over what is accessible and you can create your own custom login UI. Both mechanisms also allow for roles based authorization. There should be documentation on this in LCDS. -----Original Message----- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of lytvynyuk Sent: Monday, January 07, 2008 3:33 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Handling authorization/Authentication info using remoteObject services I would like to know about this more too. People please share! --- In flexcoders@yahoogroups.com, "bdealy1" <[EMAIL PROTECTED]> wrote: > > Hi, > I am implementing a system which makes use of RemoteObject services > within flex to speak to server side services like database, and other > server-side code. What I am wondering is what are the best practices > for securing the remoteObject services from being called either > directly, or via a client which might have been altered through > reverse-engineering, etc. > > In the past I would have perhaps done this with HttpSession objects... > is there a similar mechanism for flex remote objects? or maybe i am > just missing the obvious due to inexperience. > > Any thoughts/advice appreciated. > regards, > > Brian > -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links
