Hi all, I'm building a Flex client for a fully-authenticated server with a REST-like API. All communication with the server will be over SSL/TLS. All requests must be authenticated. What I've discovered, by Googling and by trying my own code, is that Flex makes things very, very difficult for such a client. The problems all center around the fact that my Basic Auth headers get removed.
The only way I've found to get my headers over to the server is by: - Switching from using HTTPService to URLLoader (the former seems to strip all headers, no matter what) - Changing all my GET's to POST's (because headers are always stripped from GET requests) - Adding a dummy body to my POST's so that they don't get turned back into GET's (why, for God's sake?) and have their headers stripped. I also need to upload files --with authentication. Headers are stripped from FileReference.upload() calls also. I'm aware of this bug: https://bugs.adobe.com/jira/browse/FP-1044 It appears that a fix is in the works, which is encouraging, but it completely baffles me that this issue has been ignored for so very long. I also need to display images in my client that are served by my server --with authentication. I have have mx:Image elements with "source" properties bound to URL's that point to my server. I know of no way to turn these implicit GET requests into POSTs and to then somehow insert my authentication header into them. At this point I'm really feeling beaten down by how difficult this all is. Does nobody else write clients for authenticated servers? This seems so basic. I've been a fan of Flex for years, but this is causing me to question whether it's ready for real-world RIA's. I'm now considering something desperate like trying to write a Tomcat filter that looks for credentials in a URL parameter and manufactures an Authentication header. I don't know Tomcat well, so I'm not sure whether filters can run before authentication is done. If that works, though, I can go back to using my GET requests and solve my problems with upload and image rendering. The fact that we use SSL/TLS would save us here, since the URL parameters containing the credentials would be encrypted along with everything else. Somebody please tell me that I'm missing something obvious. Thanks much