Re: [flexcoders] Security question
crossdomain.xml policy files On Fri, Oct 9, 2009 at 2:07 PM, Christophe christophe_jacque...@yahoo.frwrote: Hello, What is the protection against the use of my swf application on another website by a hacker with a copy of the swf file ? Thank you, Christophe,
RE: [flexcoders] security question...testing locally while loading remote swfs
AFAIK, you have to deploy to a server. From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Rich Rodecker Sent: Thursday, May 22, 2008 11:10 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] security question...testing locally while loading remote swfs I'm running into a little bit of a wierd situation while testing my project. When I debug the app, the main app swf loads in a swf from a remote URL. I know that the sandboxType is going to be different for the main app swf (which would be local trusted) than the remote swf (which would be remote). The problem seems to be that you simply cannot set the security domain in a LoaderContext at all in a local swf...is there any way to do this, other than testing everything remotely or everything locally?
RE: [flexcoders] Security Question
My company is releasing its first external facing Flex application it is used by our clients to updates various types of information. Yes someone could create an application to simulate the Flex app, so here are the two things to do: 1) run the app under HTTPS - to encrypt all traffic 2) use the role-based security provided by your J2EE server With #2, this means that before any incoming traffic is accepted by flex, the user will have to be authenticated and if it is not, the call is rejected. This is the same for RPC or using FDS. Hope that helps. Dimitrios Gianninas RIADeveloper Optimal Payments Inc. From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of hank williamsSent: Monday, August 07, 2006 8:00 AMTo: flexcoders@yahoogroups.comSubject: [flexcoders] Security Question I am curious about the security issues associated with sendingcommands from flex to a remote database.As I write code to send commands to the server, I am wondering howsecure it is to do so. In other words. If I want to send a command tothe server to update a field in the database, how easy is it formsomeone else to write some code to pretend to be a flash clientsending that command.In the flash environment I had this concern, but fewer people weredoing sophisiticated client side updating of data in flash. In flex,remote data access is its primary reason for existence, and I amwondering if there is a better security strategy. For example can onesay, If you use FDS you will be much more secure? I know that FDSallows for encrypted communication. But that only prevents someonefrom spying on a communication. But if an app pretends to be anauthorized client and knows (or guesses) the key of a record, theycould really wreak havoc.So is it possible to write a secure application in flex (like forbanking), where there is data intelligence on the client side. Or mustflex apps that need to manipulate data be more like html apps wherethey *only* handle presentation and no business logic?Hank AVIS IMPORTANT WARNING Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent message a été transmis involontairement ou s'il est retransmis sans son autorisation. Si vous n'êtes pas le destinataire visé du présent message ou si vous l'avez reçu par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi que toutes ses pièces jointes, de votre système. La lecture, la distribution, la copie ou tout autre usage du présent message ou de ses pièces jointes par des personnes autres que le destinataire visé ne sont pas autorisés et pourraient être illégaux. Si vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur. This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender. __._,_.___ -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Web site design development Computer software development Software design and development Macromedia flex Software development best practice YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. __,_._,___
Re: [flexcoders] Security Question
On 8/7/06, Dimitrios Gianninas [EMAIL PROTECTED] wrote: My company is releasing its first external facing Flex application it is used by our clients to updates various types of information. Yes someone could create an application to simulate the Flex app, so here are the two things to do: 1) run the app under HTTPS - to encrypt all traffic 2) use the role-based security provided by your J2EE server With #2, this means that before any incoming traffic is accepted by flex, the user will have to be authenticated and if it is not, the call is rejected. This is the same for RPC or using FDS.I sort of assumed both of these, and in the flash version of my apps I do something similar. But particularly with #2 using J2EE security really requires expertise outside the scope of what is described and documented for Flex or FDS. So this really means that out of the box, Flex and particularly FDS is not secure since there are no API's to facilitate this. It would seem to me that support for security would be built into FDS. Interestingly though there is very little (at least as far as I have seen) discussion about this. It just seems that every Flex application is wearing a giant Hack Me sticker on its forehead. RegardsHank __._,_.___ -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Web site design development Computer software development Software design and development Macromedia flex Software development best practice YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. __,_._,___
RE: [flexcoders] Security Question
No, no sticker! There probably is limited documentation because: a)there is actually not much to configure b) since it is based on the J2EE security model, this is already documented with your app server Really you just have to configure your roles in the services-config.xml and then configure your RPC and FDS services to use these roles. When a remote calls comes in and no valid authenticated session exists, the call will be rejected. So even if someone simulates this, it will fail. Dimitrios Gianninas RIADeveloper Optimal Payments Inc. From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of hank williamsSent: Monday, August 07, 2006 9:37 AMTo: flexcoders@yahoogroups.comSubject: Re: [flexcoders] Security Question On 8/7/06, Dimitrios Gianninas dimitrios.gianninas@optimalpayments.com wrote: My company is releasing its first external facing Flex application it is used by our clients to updates various types of information. Yes someone could create an application to simulate the Flex app, so here are the two things to do: 1) run the app under HTTPS - to encrypt all traffic 2) use the role-based security provided by your J2EE server With #2, this means that before any incoming traffic is accepted by flex, the user will have to be authenticated and if it is not, the call is rejected. This is the same for RPC or using FDS. I sort of assumed both of these, and in the flash version of my apps I do something similar. But particularly with #2 using J2EE security really requires expertise outside the scope of what is described and documented for Flex or FDS. So this really means that out of the box, Flex and particularly FDS is not secure since there are no API's to facilitate this. It would seem to me that support for security would be built into FDS. Interestingly though there is very little (at least as far as I have seen) discussion about this. It just seems that every Flex application is wearing a giant "Hack Me" sticker on its forehead. RegardsHank AVIS IMPORTANT WARNING Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent message a été transmis involontairement ou s'il est retransmis sans son autorisation. Si vous n'êtes pas le destinataire visé du présent message ou si vous l'avez reçu par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi que toutes ses pièces jointes, de votre système. La lecture, la distribution, la copie ou tout autre usage du présent message ou de ses pièces jointes par des personnes autres que le destinataire visé ne sont pas autorisés et pourraient être illégaux. Si vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur. This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender. __._,_.___ -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Web site design development Computer software development Software design and development Macromedia flex Software development best practice YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. __,_._,___
Re: [flexcoders] Security Question
Oh, I see My bad. It looks like there *is* built in support! I will have to look of the security tag in the services-config.xml file. That looks very helpful.Regards,Hank On 8/7/06, Dimitrios Gianninas [EMAIL PROTECTED] wrote: No, no sticker! There probably is limited documentation because: a)there is actually not much to configure b) since it is based on the J2EE security model, this is already documented with your app server Really you just have to configure your roles in the services-config.xml and then configure your RPC and FDS services to use these roles. When a remote calls comes in and no valid authenticated session exists, the call will be rejected. So even if someone simulates this, it will fail. Dimitrios Gianninas RIADeveloper Optimal Payments Inc. From: flexcoders@yahoogroups.com [mailto:flexcoders@yahoogroups.com] On Behalf Of hank williamsSent: Monday, August 07, 2006 9:37 AMTo: flexcoders@yahoogroups.comSubject: Re: [flexcoders] Security Question On 8/7/06, Dimitrios Gianninas [EMAIL PROTECTED] wrote: My company is releasing its first external facing Flex application it is used by our clients to updates various types of information. Yes someone could create an application to simulate the Flex app, so here are the two things to do: 1) run the app under HTTPS - to encrypt all traffic 2) use the role-based security provided by your J2EE server With #2, this means that before any incoming traffic is accepted by flex, the user will have to be authenticated and if it is not, the call is rejected. This is the same for RPC or using FDS. I sort of assumed both of these, and in the flash version of my apps I do something similar. But particularly with #2 using J2EE security really requires expertise outside the scope of what is described and documented for Flex or FDS. So this really means that out of the box, Flex and particularly FDS is not secure since there are no API's to facilitate this. It would seem to me that support for security would be built into FDS. Interestingly though there is very little (at least as far as I have seen) discussion about this. It just seems that every Flex application is wearing a giant Hack Me sticker on its forehead. RegardsHank AVIS IMPORTANT WARNING Ce message électronique et ses pièces jointes peuvent contenir des renseignements confidentiels, exclusifs ou légalement privilégiés destinés au seul usage du destinataire visé. L'expéditeur original ne renonce à aucun privilège ou à aucun autre droit si le présent message a été transmis involontairement ou s'il est retransmis sans son autorisation. Si vous n'êtes pas le destinataire visé du présent message ou si vous l'avez reçu par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi que toutes ses pièces jointes, de votre système. La lecture, la distribution, la copie ou tout autre usage du présent message ou de ses pièces jointes par des personnes autres que le destinataire visé ne sont pas autorisés et pourraient être illégaux. Si vous avez reçu ce courrier électronique par erreur, veuillez en aviser l'expéditeur. This electronic message and its attachments may contain confidential, proprietary or legally privileged information, which is solely for the use of the intended recipient. No privilege or other rights are waived by any unintended transmission or unauthorized retransmission of this message. If you are not the intended recipient of this message, or if you have received it in error, you should immediately stop reading this message and delete it and all attachments from your system. The reading, distribution, copying or other use of this message or its attachments by unintended recipients is unauthorized and may be unlawful. If you have received this e-mail in error, please notify the sender. __._,_.___ -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Web site design development Computer software development Software design and development Macromedia flex Software development best practice YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. __,_._,___