In the case of BlazeDS and LCDS, we preferentially do custom authentication using app server specific pluggable helper classes. So, we don't use form auth, and my personal leaning is to avoid HTTP Basic auth.
You may want to consider exposing your server-side resources through your REST interface generally, as well as through BlazeDS remoting for Flex clients. That would simplify your auth situation assuming you're deploying on one of the app servers we support. I'm not aware of any good guidance on using form auth from Flash/Flex off-hand, Seth From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of rydellfinn Sent: Tuesday, May 13, 2008 6:59 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Authentication against a RESTful web service Seth - Thanks - I was aware of that. I've worked with REST with just GET and POST before. I look forward to when the Player does support all the methods. That aside, what do you use on the back end and how do you authenticate? I'm coming from a Java background, and I have found there are remarkably few examples that include any form authentication, which is essential in any production application. Thanks again! --- In flexcoders@yahoogroups.com, "Seth Hodgson" <[EMAIL PROTECTED]> wrote: > > Aside from auth challenges, in case you're not aware, the Player can not issue PUT, DELETE or HEAD requests due to limitations in the browser APIs that it uses for HTTP support, as well as security considerations. Setting request headers also presents some challenges due to security issues, and response headers are not available in the browser players. > > If your server side methods work OK with just GET and POST requests, keep forging ahead. > > Seth > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of rydellfinn > Sent: Monday, May 12, 2008 12:38 PM > To: flexcoders@yahoogroups.com > Subject: [flexcoders] Authentication against a RESTful web service > > Hi all - > > I have written a RESTful web service using Java (Jersey). I would > like to have write a Flex 3 front end to make use of this service. > What is the best way to have my Flex 3 login page authenticate against > my web service? > > I have been trying to use Basic Authentication with the HTTPService > and URLLoader, but there have been a lot of recent security changes > with the flash player that have made this very difficult. And before > I go down that road any further, I thought I'd step back and ask the > more generic question of what is the best way to get authentication done? > > At this point, I'm thinking of 'best' defined as, moderate security > that I can implement in a couple of days. > > Thanks to everyone (or anyone!) who responds. >
