RE: [flexcoders] Re: Choice of backend systems - which provides best functionality
The ws-i pages themselves can be found here: http://www.ws-i.org/deliverables/workinggroup.aspx?wg=basicsecurity Although the link was not working while I was typing this reply :). Webservices are a very complicated story if it comes to standards. And to be honest, I am not up to par with all of them. As Derek already pointed out ‘most web service stack have *some level* of support for it’, which implies that you cannot rely on it for now. In a few years from now it will be around and all the software stacks will have support for it. Then we can use it. So for now, you have to reinvent the wheel for this part. It’s not that hard though. Cheers, Franck From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Derek Adams Sent: Thursday, August 24, 2006 4:32 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Choice of backend systems - which provides best functionality WS-Security is the standard spec for securing web service calls. Most web service stacks have some level of support for it. Among the things it offers are username/token style security and encryption of some/all of the SOAP envelope. There is an overview and a few good links here: http://www-128.ibm.com/developerworks/library/specification/ws- secure/ Also, see the Adobe AS3 UsernameToken support in the corelibs project here: http://weblogs.macromedia.com/as_libraries/docs/corelib/ Hope that helps, Derek --- In [EMAIL PROTECTED]ups.com, "Darren Houle" <[EMAIL PROTECTED]> wrote: > > Franck, > > Makes sense to me. Do you (or does anyone) know of any open/standards based > architecture for this SOAP token security? Any OOTB solutions out there, or > do I need to redesign the wheel? > > Thanks! > Darren > __._,_.___ -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Software development tool Software development Software development services Home design software Software development company YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to: [EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. __,_._,___
RE: [flexcoders] Re: Choice of backend systems - which provides best functionality
Franck, Makes sense to me. Do you (or does anyone) know of any open/standards based architecture for this SOAP token security? Any OOTB solutions out there, or do I need to redesign the wheel? Thanks! Darren >From: "Franck de Bruijn" <[EMAIL PROTECTED]> >Reply-To: flexcoders@yahoogroups.com >To: >Subject: RE: [flexcoders] Re: Choice of backend systems - which provides >best functionality >Date: Thu, 24 Aug 2006 07:33:13 +0200 > >Hi Darren, > > > >I developed my webservices such that you have to supply a security token in >the header section of a SOAP operation. By using a security token you >prevent needing to send the user credentials over the line every time for >every request to the back-end. It's a mechanism used heavily in most >web-based systems (including single sign-on). Maybe the difference is that >often these security tokens are sent in by means of cookies. Webservices >don't need cookies; they have a header section (something that simple HTTP >requests/posts don't). > > > >After a successful login operation, a security token is generated and >stored >in the database together with the necessary user profile information. So, >the user session information is actually stored in the database and not in >the application server. Yes, you have to do an extra query to your database >to get the session information back, but since it's a very simple and fast >query on a primary key it will take be nearly costless. > > > >Databases are around now for more than 20 years. They have been totally >optimized for data storage and data distribution (if you need a clustered >database). It's my belief that databases can do this much better than >application servers (or myself/yourself). > > > >I also try to rule out caching (of dynamic data) in my application servers. >Each normal thinking human being understands that caching (and the >distribution of the cache among your application server cluster) introduces >many headaches. In my experience, when performance issues arise, most often >these are solved by writing cleverer queries, rearchitecting your >interface, >and even maybe take some consequences in the UI (ok, we don't display that >attribute directly, but behind a tab or something). In my opinion caching >is >rarely the best solution for performance increase, but probably the easiest >to develop ... and the hardest to maintain. > > > >Cheers, > >Franck > > > > _ > >From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On >Behalf Of Dave Wolf >Sent: Wednesday, August 23, 2006 11:54 PM >To: flexcoders@yahoogroups.com >Subject: [flexcoders] Re: Choice of backend systems - which provides best >functionality > > > >Darren, > >Flex inherits the HTTP session that the page which contained the EMBED >tag acquired. Dont forget that HTTP/HTML is entirely stateless and >yet we can easily secure those. The theory is identical with Flex. > >-- >Dave Wolf >Cynergy Systems, Inc. >Adobe Flex Alliance Partner >http://www.cynergys <http://www.cynergysystems.com> ystems.com >http://www.cynergys <http://www.cynergysystems.com/blogs> ystems.com/blogs > >Email: [EMAIL PROTECTED] <mailto:dave.wolf%40cynergysystems.com> >stems.com >Office: 866-CYNERGY > >--- In [EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> ups.com, >"Darren Houle" <[EMAIL PROTECTED]> wrote: > > > > Franck, > > > > I agree with you, but... how do you handle security in a stateless >back-end? > > I mean... how do you maintain logged-in / user session >information? Or > > unauthorized access of the web services by others? If Flex is >*completely* > > agnostic of the back-end technology then how do you securely link them > > together? > > > > Darren > > > > > > > > > > >From: "Franck de Bruijn" <[EMAIL PROTECTED]> > > >Reply-To: [EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> >ups.com > > >To: <[EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> ups.com> > > >Subject: RE: [flexcoders] Re: Choice of backend systems - which >provides > > >best functionality > > >Date: Tue, 22 Aug 2006 18:03:24 +0200 > > > > > >Hi Barry, > > > > > > > > > > > >I'm not sure if I can be of much help here. I'm not into PHP, I'm >not into > > >FDS and remoting and the AMF protocol that is related to it. For >me, but > > >that is totally a personal opinion, the only acceptable solution for > > >communication with a
RE: [flexcoders] Re: Choice of backend systems - which provides best functionality
Hi Darren, I developed my webservices such that you have to supply a security token in the header section of a SOAP operation. By using a security token you prevent needing to send the user credentials over the line every time for every request to the back-end. It’s a mechanism used heavily in most web-based systems (including single sign-on). Maybe the difference is that often these security tokens are sent in by means of cookies. Webservices don’t need cookies; they have a header section (something that simple HTTP requests/posts don’t). After a successful login operation, a security token is generated and stored in the database together with the necessary user profile information. So, the user session information is actually stored in the database and not in the application server. Yes, you have to do an extra query to your database to get the session information back, but since it’s a very simple and fast query on a primary key it will take be nearly costless. Databases are around now for more than 20 years. They have been totally optimized for data storage and data distribution (if you need a clustered database). It’s my belief that databases can do this much better than application servers (or myself/yourself). I also try to rule out caching (of dynamic data) in my application servers. Each normal thinking human being understands that caching (and the distribution of the cache among your application server cluster) introduces many headaches. In my experience, when performance issues arise, most often these are solved by writing cleverer queries, rearchitecting your interface, and even maybe take some consequences in the UI (ok, we don’t display that attribute directly, but behind a tab or something). In my opinion caching is rarely the best solution for performance increase, but probably the easiest to develop ... and the hardest to maintain. Cheers, Franck From: flexcoders@yahoogroups.com [mailto:flexcoders@yahoogroups.com] On Behalf Of Dave Wolf Sent: Wednesday, August 23, 2006 11:54 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Choice of backend systems - which provides best functionality Darren, Flex inherits the HTTP session that the page which contained the EMBED tag acquired. Dont forget that HTTP/HTML is entirely stateless and yet we can easily secure those. The theory is identical with Flex. -- Dave Wolf Cynergy Systems, Inc. Adobe Flex Alliance Partner http://www.cynergysystems.com http://www.cynergysystems.com/blogs Email: [EMAIL PROTECTED]stems.com Office: 866-CYNERGY --- In [EMAIL PROTECTED]ups.com, "Darren Houle" <[EMAIL PROTECTED]> wrote: > > Franck, > > I agree with you, but... how do you handle security in a stateless back-end? > I mean... how do you maintain logged-in / user session information? Or > unauthorized access of the web services by others? If Flex is *completely* > agnostic of the back-end technology then how do you securely link them > together? > > Darren > > > > > >From: "Franck de Bruijn" ...> > >Reply-To: [EMAIL PROTECTED]ups.com > >To: <[EMAIL PROTECTED]ups.com> > >Subject: RE: [flexcoders] Re: Choice of backend systems - which provides > >best functionality > >Date: Tue, 22 Aug 2006 18:03:24 +0200 > > > >Hi Barry, > > > > > > > >I'm not sure if I can be of much help here. I'm not into PHP, I'm not into > >FDS and remoting and the AMF protocol that is related to it. For me, but > >that is totally a personal opinion, the only acceptable solution for > >communication with a back-end is webservices, and nothing else. Briefly > >here > >are my reasons: > > > >* The coolest thing about Flex is not the graphics ... but that you > >can make your server stateless, meaning that you obtain 100% fail-over > >characteristics including linear scalability. With FDS (or any other > >related > >solution) you highly likely lose this `feature' and my guess is that > >scalability will be tougher to achieve; for sure it is harder to guarantee > >... with a stateless server solution you can. And we always want to grow > >with our applications, don't we??? > >* I like to keep my Flex layer totally independent of my back-end > >layer. My back-end layer should not be aware by any means of the client > >technology. With webservices you realize this. With FDS (or any other > >related solution) you get a vendor lock-in, which I consider undesirable. > >* The trend in my business is that more and more you get projects only > >for a front-end or back-end solution. In the past it occurred more that you > >had to build them together, but that is changing. It's very acceptable to > >request a back-end
RE: [flexcoders] Re: Choice of backend systems - which provides best functionality
True, but then you're relying on server side sessions... that's stateless, but not independant of the back-end technology. Darren >From: "Dave Wolf" <[EMAIL PROTECTED]> >Reply-To: flexcoders@yahoogroups.com >To: flexcoders@yahoogroups.com >Subject: [flexcoders] Re: Choice of backend systems - which provides best >functionality >Date: Wed, 23 Aug 2006 21:53:39 - > >Darren, > >Flex inherits the HTTP session that the page which contained the EMBED >tag acquired. Dont forget that HTTP/HTML is entirely stateless and >yet we can easily secure those. The theory is identical with Flex. > >-- >Dave Wolf >Cynergy Systems, Inc. >Adobe Flex Alliance Partner >http://www.cynergysystems.com >http://www.cynergysystems.com/blogs > >Email: [EMAIL PROTECTED] >Office: 866-CYNERGY > >--- In flexcoders@yahoogroups.com, "Darren Houle" <[EMAIL PROTECTED]> wrote: > > > > Franck, > > > > I agree with you, but... how do you handle security in a stateless >back-end? > > I mean... how do you maintain logged-in / user session >information? Or > > unauthorized access of the web services by others? If Flex is >*completely* > > agnostic of the back-end technology then how do you securely link them > > together? > > > > Darren > > > > > > > > > > >From: "Franck de Bruijn" <[EMAIL PROTECTED]> > > >Reply-To: flexcoders@yahoogroups.com > > >To: > > >Subject: RE: [flexcoders] Re: Choice of backend systems - which >provides > > >best functionality > > >Date: Tue, 22 Aug 2006 18:03:24 +0200 > > > > > >Hi Barry, > > > > > > > > > > > >I'm not sure if I can be of much help here. I'm not into PHP, I'm >not into > > >FDS and remoting and the AMF protocol that is related to it. For >me, but > > >that is totally a personal opinion, the only acceptable solution for > > >communication with a back-end is webservices, and nothing else. >Briefly > > >here > > >are my reasons: > > > > > >* The coolest thing about Flex is not the graphics ... but that you > > >can make your server stateless, meaning that you obtain 100% fail-over > > >characteristics including linear scalability. With FDS (or any other > > >related > > >solution) you highly likely lose this `feature' and my guess is that > > >scalability will be tougher to achieve; for sure it is harder to >guarantee > > >... with a stateless server solution you can. And we always want to >grow > > >with our applications, don't we??? > > >* I like to keep my Flex layer totally independent of my back-end > > >layer. My back-end layer should not be aware by any means of the client > > >technology. With webservices you realize this. With FDS (or any other > > >related solution) you get a vendor lock-in, which I consider >undesirable. > > >* The trend in my business is that more and more you get projects only > > >for a front-end or back-end solution. In the past it occurred more >that you > > >had to build them together, but that is changing. It's very >acceptable to > > >request a back-end to expose its operations through webservices. >It's not > > >very accetable to request them to expose it via FDS or something >like that. > > > > > > > > > > > >To be fair, there are some disadvantages using web services as >well; among > > >others: > > > > > >* No automatic conversion of the web service results into your custom > > >action script classes. You have to make converters yourself to >accomplish > > >this. With FDS/AMF I understand you can have this conversion >automatically > > >done for you. > > >* Performance. People tend to say that webservices are slow. It's true > > >that the serialization/deserialization of the XML (both on client and > > >server) side takes computing time. My experiences so far are that this > > >extra > > >computing time is not causing any serious damage in the user >experience. > > >* Flex has some trouble communicating with DOC/Literal encoded > > >webservices. Especially in the .Net corner this is causing >problems. But > > >that should be temporarily ... The adobe guys are working on it and > > >hopefully in a next release these issues will be fixed. > > > > > > > > > > > >For me the advantages of webservices by far outweigh the >d
RE: [flexcoders] Re: Choice of backend systems - which provides best functionality
Franck, I agree with you, but... how do you handle security in a stateless back-end? I mean... how do you maintain logged-in / user session information? Or unauthorized access of the web services by others? If Flex is *completely* agnostic of the back-end technology then how do you securely link them together? Darren >From: "Franck de Bruijn" <[EMAIL PROTECTED]> >Reply-To: flexcoders@yahoogroups.com >To: >Subject: RE: [flexcoders] Re: Choice of backend systems - which provides >best functionality >Date: Tue, 22 Aug 2006 18:03:24 +0200 > >Hi Barry, > > > >Im not sure if I can be of much help here. Im not into PHP, Im not into >FDS and remoting and the AMF protocol that is related to it. For me, but >that is totally a personal opinion, the only acceptable solution for >communication with a back-end is webservices, and nothing else. Briefly >here >are my reasons: > >* The coolest thing about Flex is not the graphics ... but that you >can make your server stateless, meaning that you obtain 100% fail-over >characteristics including linear scalability. With FDS (or any other >related >solution) you highly likely lose this feature and my guess is that >scalability will be tougher to achieve; for sure it is harder to guarantee >... with a stateless server solution you can. And we always want to grow >with our applications, dont we??? >* I like to keep my Flex layer totally independent of my back-end >layer. My back-end layer should not be aware by any means of the client >technology. With webservices you realize this. With FDS (or any other >related solution) you get a vendor lock-in, which I consider undesirable. >* The trend in my business is that more and more you get projects only >for a front-end or back-end solution. In the past it occurred more that you >had to build them together, but that is changing. Its very acceptable to >request a back-end to expose its operations through webservices. Its not >very accetable to request them to expose it via FDS or something like that. > > > >To be fair, there are some disadvantages using web services as well; among >others: > >* No automatic conversion of the web service results into your custom >action script classes. You have to make converters yourself to accomplish >this. With FDS/AMF I understand you can have this conversion automatically >done for you. >* Performance. People tend to say that webservices are slow. Its true >that the serialization/deserialization of the XML (both on client and >server) side takes computing time. My experiences so far are that this >extra >computing time is not causing any serious damage in the user experience. >* Flex has some trouble communicating with DOC/Literal encoded >webservices. Especially in the .Net corner this is causing problems. But >that should be temporarily ... The adobe guys are working on it and >hopefully in a next release these issues will be fixed. > > > >For me the advantages of webservices by far outweigh the disadvantages. So >if you ask me: use webservices! You keep your freedom ... > > > >Cheers, > >Franck > > > > > > _ > >From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On >Behalf Of barry.beattie >Sent: Tuesday, August 22, 2006 9:50 AM >To: flexcoders@yahoogroups.com >Subject: [flexcoders] Re: Choice of backend systems - which provides best >functionality > > > >Franck and Doug: may I be so bold as to include here some information >I sent to our programming team for them to have some context? > >I offer it here as a talking point only - and would invite any >comments or corrections to help me gain a better understanding myself >... this has just been gathered by my own ad-hoc investigations. the >context of the email was a report that Adobe were seriously targeting >PHP developers for Flex. > > >regarding Flash remoting: some background to put it into context: > >there are three basic ways of getting communication happening between >a SWF (now-a-days built with Flex) and server-side code: > >webservices >XML HTTP requests >Flash Remoting (using the Async Message Format - AMF) > >PHPAMF (Flash remoting with PHP) is not a Macromedia/Adobe product. It >was reverse engineered by the PHP community to use Flash remoting. >It's been around for a few years (that I know of) and may be even more >popular than CF-AMF (don't know for sure) > >here's the important bit: > >PHPAMF, OpenAMF, the Adobe .NET/ Java remoting add-in and ColdFusion >6.1 remoting all use the AMF0 protocol. ColdFusion 7.02 and >FlexDataServices (Java) all use AMF3 > >Wha
RE: [flexcoders] Re: Choice of backend systems - which provides best functionality
Hi Barry, I’m not sure if I can be of much help here. I’m not into PHP, I’m not into FDS and remoting and the AMF protocol that is related to it. For me, but that is totally a personal opinion, the only acceptable solution for communication with a back-end is webservices, and nothing else. Briefly here are my reasons: The coolest thing about Flex is not the graphics ... but that you can make your server stateless, meaning that you obtain 100% fail-over characteristics including linear scalability. With FDS (or any other related solution) you highly likely lose this ‘feature’ and my guess is that scalability will be tougher to achieve; for sure it is harder to guarantee ... with a stateless server solution you can. And we always want to grow with our applications, don’t we??? I like to keep my Flex layer totally independent of my back-end layer. My back-end layer should not be aware by any means of the client technology. With webservices you realize this. With FDS (or any other related solution) you get a vendor lock-in, which I consider undesirable. The trend in my business is that more and more you get projects only for a front-end or back-end solution. In the past it occurred more that you had to build them together, but that is changing. It’s very acceptable to request a back-end to expose its operations through webservices. It’s not very accetable to request them to expose it via FDS or something like that. To be fair, there are some disadvantages using web services as well; among others: No automatic conversion of the web service results into your custom action script classes. You have to make converters yourself to accomplish this. With FDS/AMF I understand you can have this conversion automatically done for you. Performance. People tend to say that webservices are slow. It’s true that the serialization/deserialization of the XML (both on client and server) side takes computing time. My experiences so far are that this extra computing time is not causing any serious damage in the user experience. Flex has some trouble communicating with DOC/Literal encoded webservices. Especially in the .Net corner this is causing problems. But that should be temporarily ... The adobe guys are working on it and hopefully in a next release these issues will be fixed. For me the advantages of webservices by far outweigh the disadvantages. So if you ask me: use webservices! You keep your freedom ... Cheers, Franck From: flexcoders@yahoogroups.com [mailto:flexcoders@yahoogroups.com] On Behalf Of barry.beattie Sent: Tuesday, August 22, 2006 9:50 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Choice of backend systems - which provides best functionality Franck and Doug: may I be so bold as to include here some information I sent to our programming team for them to have some context? I offer it here as a talking point only - and would invite any comments or corrections to help me gain a better understanding myself ... this has just been gathered by my own ad-hoc investigations. the context of the email was a report that Adobe were seriously targeting PHP developers for Flex. regarding Flash remoting: some background to put it into context: there are three basic ways of getting communication happening between a SWF (now-a-days built with Flex) and server-side code: webservices XML HTTP requests Flash Remoting (using the Async Message Format - AMF) PHPAMF (Flash remoting with PHP) is not a Macromedia/Adobe product. It was reverse engineered by the PHP community to use Flash remoting. It's been around for a few years (that I know of) and may be even more popular than CF-AMF (don't know for sure) here's the important bit: PHPAMF, OpenAMF, the Adobe .NET/ Java remoting add-in and ColdFusion 6.1 remoting all use the AMF0 protocol. ColdFusion 7.02 and FlexDataServices (Java) all use AMF3 What's the diff? 2 things: Apart from some removal of dumb stuff-ups and a reduction of data packet size (thanx to new encoding), AMF3 is very strongly typed which allows a seamless (and easy) mapping/conversion between server side objects (eg: Java value objects and ColdFusion's CFC's). This is why FlexBuilder can have a simple wizard to take your CFC and create Actionscript classes from it (and/or visa-versa). Before it was all manual with a tonne of testing (eg string to numeric conversions, etc). [NOTE: the follow paragraph is total speculation] Also, inside the latest Flash player (Flash9) there are actually 2 players. An older for backwards compatability and the latest "hot-rod" that has had some amazing improvements in functionality and speed. Expect to see the use for the older player depricated in less than 5 years (the new player in Flash9 is like starting again). AMF0
