Re: [flexcoders] A security question...
/filters /target /logging system /system /services-config - Original Message - From: Laurence MacNeill To: flexcoders@yahoogroups.com Sent: Thursday, February 11, 2010 10:17 PM Subject: Re: [flexcoders] A security question... At 08:40 PM 2/11/2010, you wrote: You can and (i think) should do both. In my world of flex 3, I have created a secure destination (and channel) in the Flex services-config.xml file and use this for my remote object connection. I can post it if you like. Warren Koch Do you use it for all your RO connections? Because I don't really want to use SSL for every connection -- just the few that I need encrypted... Is there a way to turn on encryption just for one or two ROs, and leave the rest insecure? I'm concerned about speed and bandwidth -- secure connections are slower and take up more bandwidth. I don't want to bog the server down with thousands of SSL ROs when I only need a few... But yeah, I'd definitely like to see what you've created there -- please post it at your earliest convenience. Thanks, Laurence MacNeill Mableton, Georgia, USA
Re: [flexcoders] A security question...
On 2/11/10, Booking Heaven wrote: The best thing you have to do is you should encrypt it in client side before it is passed to webservice (whatever it is, https or http) because man in middle attack can tap your creditcard information before it is passed to webservice. With the method proposed the Flash Player plugin will hand the data off to the browser and the browser will encrypt it using SSL and send it to the webservice. Are you suggesting that there may be a man in the middle between the Flash Player plugin and the browser? It seems a bit of a far fetched scenario. Surely a simple keylogger would be much more likely as an attack vector. Jochem -- Jochem van Dieten http://jochem.vandieten.net/
[flexcoders] Another security question...
With all this talk about security, I figured now was the time to get SSL running on my Windows Server 2003 computer... I'm sure that others here have dealt with this before -- so although it's not specifically a Flex topic, I'd imagine it'd be of interest to enough members that my posting this here won't be totally offensive to everyone. Anyway -- I installed Certificate Services from the Add/Remove Programs on the Control Panel. That seems to have completed successfully. I've completed the steps in IIS to 'request a certificate' -- saved the request to a file on my desktop. Now, the next step is supposed to be going to 'http://localhost/CertSrv' and creating a new certificate from my .txt file that contains the saved request. But when I browse to that page, it says 404 Page Not Found. I've checked all the usual suspects -- IIS shows that CertSrv is a valid page, all the proper .ASP files are in there, ASP services are enabled on my IIS server, at a command prompt 'certutil -vroot' says all the virtual pages and directories are properly installed... I'm just at a complete loss as to why my browser can't find the CertSrv page... Heck -- I even re-booted the computer, just in case that was it. Anyone dealt with this before? Got any tips? Thanks, Laurence MacNeill Mableton, Georgia, USA
Re: [flexcoders] A security question...
You can and (i think) should do both. In my world of flex 3, I have created a secure destination (and channel) in the Flex services-config.xml file and use this for my remote object connection. I can post it if you like. Warren Koch - Original Message - From: Laurence To: flexcoders@yahoogroups.com Sent: Wednesday, February 10, 2010 8:18 PM Subject: [flexcoders] A security question... So, let's say I have a mx:RemoteObject in my program... I want it to communicate with the server via SSL, or some other method whereby the credit-card numbers it sends to-and-from the server are encrypted. Here's how it's structured currently: mx:RemoteObject id=roPaymentInfo destination=ColdFusion showBusyCursor=true source={'cfcs.dao.PaymentsDAO'} mx:method name=getPayments result=roGetPaymentsResultHandler(event) fault=roFaultHandler(event)/ mx:method name=addPayment result=roAddPaymentResultHandler(event) fault=roFaultHandler(event)/ /mx:RemoteObject Do I have to make my entire program secure via an https:// in the URL, or is there a way to encrypt just that one mx:RemoteObject? If there is a way to secure just the one object, how is that done? Thanks, Laurence MacNeill Mableton, Georgia, USA
[flexcoders] A security question...
So, let's say I have a mx:RemoteObject in my program... I want it to communicate with the server via SSL, or some other method whereby the credit-card numbers it sends to-and-from the server are encrypted. Here's how it's structured currently: mx:RemoteObject id=roPaymentInfo destination=ColdFusion showBusyCursor=true source={'cfcs.dao.PaymentsDAO'} mx:method name=getPayments result=roGetPaymentsResultHandler(event) fault=roFaultHandler(event)/ mx:method name=addPayment result=roAddPaymentResultHandler(event) fault=roFaultHandler(event)/ /mx:RemoteObject Do I have to make my entire program secure via an https:// in the URL, or is there a way to encrypt just that one mx:RemoteObject? If there is a way to secure just the one object, how is that done? Thanks, Laurence MacNeill Mableton, Georgia, USA
Re: [flexcoders] A security question...
The best thing you have to do is you should encrypt it in client side before it is passed to webservice (whatever it is, https or http) because man in middle attack can tap your creditcard information before it is passed to webservice. Reinhart --- On Wed, 2/10/10, Laurence lmacne...@comcast.net wrote: From: Laurence lmacne...@comcast.net Subject: [flexcoders] A security question... To: flexcoders@yahoogroups.com Date: Wednesday, February 10, 2010, 6:18 PM So, let's say I have a mx:RemoteObject in my program... I want it to communicate with the server via SSL, or some other method whereby the credit-card numbers it sends to-and-from the server are encrypted. Here's how it's structured currently: mx:RemoteObject id=roPaymentInfo destination= ColdFusion showBusyCursor= true source={'cfcs. dao.PaymentsDAO' } mx:method name=getPayments result=roGetPaymen tsResultHandler( event) fault=roFaultHandl er(event) / mx:method name=addPayment result=roAddPaymen tResultHandler( event) fault=roFaultHandl er(event) / /mx:RemoteObject Do I have to make my entire program secure via an https:// in the URL, or is there a way to encrypt just that one mx:RemoteObject ? If there is a way to secure just the one object, how is that done? Thanks, Laurence MacNeill Mableton, Georgia, USA
Re: [flexcoders] Flex2Gateway Security Question
by default you can only invoke remote functions, not public ones. To allow public functions to be called from a flex front-end you need to change de configuration of the ColdFusion destination. Check the remoting-config.xml if you have the method-access-level property set to remote. To allow both public and remote this value is set to 'public and remote'. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org
[flexcoders] Flex2Gateway Security Question
OK, I have come across something that I find VERY disturbing. It appears that the Flex2Gateway can invoke any access=remote or access=public CFFunction. I have developed a very large OO application for use with a Flex front end. My gateway components are all declared with remote access functions but their roles are properly set to NOT allow unauthorized access. The model objects all have their methods declared public with no roles defined... because, well, i assumed they couldn't be invoked directly from the web. Does anyone know if it is possible to change the scope of what the Flex2Gateway will allow access to? Perhaps I am off base here... maybe there is some higher level security which I am missing. Thanks, Geoff
[flexcoders] Re: Security Question
As Dimitrios says, the security is all handled and managed by the J2EE container. That security model might be one of the most tried and tested architectures in the last 10 years and is plenty robust. But you do point out a big issue. How many folks who are new to web development and security in a distributed environment and have been drawn to the RIA market from places where they didnt have to worry about security and security models in general? Then there is the need to learn and understand the J2EE security model specifically. How do you configure encryption, authentication, authorization, etc? In our case that was the world we came from and have simply adapted our passion for the users experience into what we can do with a tool like Flex. Do rest assured, we have exercised Flex and its integration into the J2EE security model and it is quite seamless and transparent. We have some pretty bright cookies here in security (including folks like authors of books on J2EE security) and have integrarated Flex with almost all of it by now for our clients. There's nothing about Flex that is going to need that sticker. Some developers who are new to this all... well... -- Dave Wolf Cynergy Systems, Inc. Adobe Flex Alliance Partner http://www.cynergysystems.com http://www.cynergysystems.com/blogs Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In flexcoders@yahoogroups.com, Dimitrios Gianninas [EMAIL PROTECTED] wrote: No, no sticker! There probably is limited documentation because: a) there is actually not much to configure b) since it is based on the J2EE security model, this is already documented with your app server Really you just have to configure your roles in the services-config.xml and then configure your RPC and FDS services to use these roles. When a remote calls comes in and no valid authenticated session exists, the call will be rejected. So even if someone simulates this, it will fail. Dimitrios Gianninas RIA Developer Optimal Payments Inc. From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of hank williams Sent: Monday, August 07, 2006 9:37 AM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Security Question On 8/7/06, Dimitrios Gianninas [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: My company is releasing its first external facing Flex application it is used by our clients to updates various types of information. Yes someone could create an application to simulate the Flex app, so here are the two things to do: 1) run the app under HTTPS - to encrypt all traffic 2) use the role-based security provided by your J2EE server With #2, this means that before any incoming traffic is accepted by flex, the user will have to be authenticated and if it is not, the call is rejected. This is the same for RPC or using FDS. I sort of assumed both of these, and in the flash version of my apps I do something similar. But particularly with #2 using J2EE security really requires expertise outside the scope of what is described and documented for Flex or FDS. So this really means that out of the box, Flex and particularly FDS is not secure since there are no API's to facilitate this. It would seem to me that support for security would be built into FDS. Interestingly though there is very little (at least as far as I have seen) discussion about this. It just seems that every Flex application is wearing a giant Hack Me sticker on its forehead. Regards Hank -- WARNING --- This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender. AVIS IMPORTANT -- Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent message a été transmis involontairement ou s'il est retransmis sans son autorisation. Si vous n'êtes pas le destinataire visé du présent message ou si vous l'avez reçu par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi que toutes ses pièces jointes, de votre système. La lecture, la distribution, la copie ou