[flexcoders] Using Flex with server that does authentication
Hi all, I'm building a Flex client for a fully-authenticated server with a REST-like API. All communication with the server will be over SSL/TLS. All requests must be authenticated. What I've discovered, by Googling around and by trying my own code, is that Flex makes things very, very difficult for such a client. The problems all center around the fact that my Basic Auth headers get removed. The only way I've found to get my headers over to the server is by: * Switching from using HTTPService to URLLoader (the former seems to strip all headers, no matter what) * Changing all my GET's to POST's (because headers are always stripped from GET requests) * Adding a dummy body to my POST's so that they don't get turned back into GET's (why, for God's sake?) and have their headers stripped. I also need to upload files --with authentication. Headers are stripped from FileReference.upload() calls also. I'm aware of this bug: https://bugs.adobe.com/jira/browse/FP-1044 It appears that a fix is in the works, which is encouraging, but it completely baffles me that this issue has been ignored for so very long. I also need to display images in my client that are served by my server --with authentication. I have have mx:Image elements with source properties bound to URL's that point to my server. I know of no way to turn these implicit GET requests into POSTs and to then somehow insert my authentication header into them. At this point I'm really feeling beaten down by how difficult this all is. Does nobody else write clients for authenticated servers? This seems so basic. I've been a fan of Flex for years, but this is causing me to question whether it's ready for real-world RIA's. I'm now considering something desperate like trying to write a Tomcat filter that looks for credentials in a URL parameter and manufactures an Authentication header. I don't know Tomcat well, so I'm not sure whether filters can run before authentication is done. If that works, though, I can go back to using my GET requests and solve my problems with upload and image rendering. The fact that we use SSL/TLS would save us here, since the URL parameters containing the credentials would be encrypted along with everything else. Somebody please tell me that I'm missing something obvious. Thanks much
Re: [flexcoders] Using Flex with server that does authentication
Hello I feel your pain. Just recently we struggled through the same issues. One needs to get very creative to get some real HTTP support out of Flex and/or the browser plugins. There is no way to talk to some generic http/rest server with Flex (perhaps 4 is better, have not tried) The nice thing is that writing this Tomcat filter will proof to be peanuts once you start with it and it does make a lot possible without having to change your application logic. To conclude...you are not missing something obvious as far as I know...that just the way Flex has been working for as long as it exists Peter On 04 Jun 2010, at 16:38, alwayslearningnewstuff wrote: Hi all, I'm building a Flex client for a fully-authenticated server with a REST-like API. All communication with the server will be over SSL/TLS. All requests must be authenticated. What I've discovered, by Googling around and by trying my own code, is that Flex makes things very, very difficult for such a client. The problems all center around the fact that my Basic Auth headers get removed. The only way I've found to get my headers over to the server is by: * Switching from using HTTPService to URLLoader (the former seems to strip all headers, no matter what) * Changing all my GET's to POST's (because headers are always stripped from GET requests) * Adding a dummy body to my POST's so that they don't get turned back into GET's (why, for God's sake?) and have their headers stripped. I also need to upload files --with authentication. Headers are stripped from FileReference.upload() calls also. I'm aware of this bug: https://bugs.adobe.com/jira/browse/FP-1044 It appears that a fix is in the works, which is encouraging, but it completely baffles me that this issue has been ignored for so very long. I also need to display images in my client that are served by my server --with authentication. I have have mx:Image elements with source properties bound to URL's that point to my server. I know of no way to turn these implicit GET requests into POSTs and to then somehow insert my authentication header into them. At this point I'm really feeling beaten down by how difficult this all is. Does nobody else write clients for authenticated servers? This seems so basic. I've been a fan of Flex for years, but this is causing me to question whether it's ready for real-world RIA's. I'm now considering something desperate like trying to write a Tomcat filter that looks for credentials in a URL parameter and manufactures an Authentication header. I don't know Tomcat well, so I'm not sure whether filters can run before authentication is done. If that works, though, I can go back to using my GET requests and solve my problems with upload and image rendering. The fact that we use SSL/TLS would save us here, since the URL parameters containing the credentials would be encrypted along with everything else. Somebody please tell me that I'm missing something obvious. Thanks much
[flexcoders] Using Flex with server that does authentication
Hi all, I'm building a Flex client for a fully-authenticated server with a REST-like API. All communication with the server will be over SSL/TLS. All requests must be authenticated. What I've discovered, by Googling and by trying my own code, is that Flex makes things very, very difficult for such a client. The problems all center around the fact that my Basic Auth headers get removed. The only way I've found to get my headers over to the server is by: - Switching from using HTTPService to URLLoader (the former seems to strip all headers, no matter what) - Changing all my GET's to POST's (because headers are always stripped from GET requests) - Adding a dummy body to my POST's so that they don't get turned back into GET's (why, for God's sake?) and have their headers stripped. I also need to upload files --with authentication. Headers are stripped from FileReference.upload() calls also. I'm aware of this bug: https://bugs.adobe.com/jira/browse/FP-1044 It appears that a fix is in the works, which is encouraging, but it completely baffles me that this issue has been ignored for so very long. I also need to display images in my client that are served by my server --with authentication. I have have mx:Image elements with source properties bound to URL's that point to my server. I know of no way to turn these implicit GET requests into POSTs and to then somehow insert my authentication header into them. At this point I'm really feeling beaten down by how difficult this all is. Does nobody else write clients for authenticated servers? This seems so basic. I've been a fan of Flex for years, but this is causing me to question whether it's ready for real-world RIA's. I'm now considering something desperate like trying to write a Tomcat filter that looks for credentials in a URL parameter and manufactures an Authentication header. I don't know Tomcat well, so I'm not sure whether filters can run before authentication is done. If that works, though, I can go back to using my GET requests and solve my problems with upload and image rendering. The fact that we use SSL/TLS would save us here, since the URL parameters containing the credentials would be encrypted along with everything else. Somebody please tell me that I'm missing something obvious. Thanks much
