Hi!
Zend_Amf_Server performs authentication only if it receives AMF
CREDENTIALS_HEADER.
So if my Flash app doesn't send the CREDENTIALS_HEADER it gets access to all
server methods.
Authentication that can be turned off by the cliet, makes no sense to me.
Please explain why is it implemented this way.
I think there's a confusion between authentication and authorization.
Authentication checks that you are who you say you are.
Authorization checks that you (with "you" provided by authentication)
are allowed to do certain things. So, if you have some methods that are
not allowed for unauthenticated user, he will be denied permission to
run them.
Zend_AMf does authorization through ACLs, see "Authentication" part in
http://framework.zend.com/manual/en/zend.amf.server.html where it
describes setAcl() method.
So, there's two things to clarify:
1. If you didn't provide any credentials, there's nothing to authorize
2. That doesn't automatically makes you ineligible to access methods -
ACL defines that.
--
Stanislav Malyshev, Zend Software Architect
[email protected] http://www.zend.com/
(408)253-8829 MSN: [email protected]
