As Dimitrios says, the security is all handled and managed by the J2EE container. That security model might be one of the most tried and tested architectures in the last 10 years and is plenty robust.
But you do point out a big issue. How many folks who are new to web development and security in a distributed environment and have been drawn to the RIA market from places where they didnt have to worry about security and security models in general? Then there is the need to learn and understand the J2EE security model specifically. How do you configure encryption, authentication, authorization, etc? In our case that was the world we came from and have simply adapted our passion for the users experience into what we can do with a tool like Flex. Do rest assured, we have exercised Flex and its integration into the J2EE security model and it is quite seamless and transparent. We have some pretty bright cookies here in security (including folks like authors of books on J2EE security) and have integrarated Flex with almost all of it by now for our clients. There's nothing about Flex that is going to need that sticker. Some developers who are new to this all... well... -- Dave Wolf Cynergy Systems, Inc. Adobe Flex Alliance Partner http://www.cynergysystems.com http://www.cynergysystems.com/blogs Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In flexcoders@yahoogroups.com, "Dimitrios Gianninas" <[EMAIL PROTECTED]> wrote: > > No, no sticker! There probably is limited documentation because: > > a) there is actually not much to configure > b) since it is based on the J2EE security model, this is already documented with your app server > > Really you just have to configure your roles in the services-config.xml and then configure your RPC and FDS services to use these roles. > > When a remote calls comes in and no valid authenticated session exists, the call will be rejected. So even if someone simulates this, it will fail. > > Dimitrios Gianninas > RIA Developer > Optimal Payments Inc. > > > ________________________________ > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of hank williams > Sent: Monday, August 07, 2006 9:37 AM > To: flexcoders@yahoogroups.com > Subject: Re: [flexcoders] Security Question > > > > > > > On 8/7/06, Dimitrios Gianninas <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: > > My company is releasing its first external facing Flex application it is used by our clients to updates various types of information. Yes someone could create an application to simulate the Flex app, so here are the two things to do: > > 1) run the app under HTTPS - to encrypt all traffic > 2) use the role-based security provided by your J2EE server > > > > > With #2, this means that before any incoming traffic is accepted by flex, the user will have to be authenticated and if it is not, the call is rejected. > > This is the same for RPC or using FDS. > > > > I sort of assumed both of these, and in the flash version of my apps I do something similar. But particularly with #2 using J2EE security really requires expertise outside the scope of what is described and documented for Flex or FDS. So this really means that out of the box, Flex and particularly FDS is not secure since there are no API's to facilitate this. It would seem to me that support for security would be built into FDS. Interestingly though there is very little (at least as far as I have seen) discussion about this. It just seems that every Flex application is wearing a giant "Hack Me" sticker on its forehead. > > Regards > Hank > > > > > > > -- > WARNING > ------- > This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender. > > AVIS IMPORTANT > -------------- > Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent message a été transmis involontairement ou s'il est retransmis sans son autorisation. Si vous n'êtes pas le destinataire visé du présent message ou si vous l'avez reçu par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi que toutes ses pièces jointes, de votre système. La lecture, la distribution, la copie ou tout autre usage du présent message ou de ses pièces jointes par des personnes autres que le destinataire visé ne sont pas autorisés et pourraient être illégaux. Si vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur. > -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/