I just have found that there is a big security issue with possibility to invoke any public method in any assemble in BIN if I use remoting...

Is there any way not to allow accessing a method in assembly but only aspx page?

How can I protect other objects in my assemblies for possibility to call them from Flash?

There seem to be no way...

There seem to be no way...
I have decompiled flashgateway.dll and then recompiled it with that change in FlashGateway.Delegates.ServiceCommander


public object InvokeAdapter(ActionContext flashContext) {
IServiceAdapter adapter1 = null;
string text1 = ServiceCommander.GenerateInvocationCacheKey(flashC ontext);
object obj1 = this.m_adapterMap[text1];
if (obj1 != null) {
adapter1 = (IServiceAdapter) obj1;
}
else if (this.m_aspAdapter.SupportsService(flashContext)) {
adapter1 = this.m_aspAdapter;
}
else if (this.m_webServiceAdapter.SupportsService(flashCon text)) {
//adapter1 = this.m_webServiceAdapter;
throw new ApplicationException("Invoking Web Services - disabled");
}
else if (this.m_libraryServiceAdapter.SupportsService(flas hContext)) {
//adapter1 = this.m_libraryServiceAdapter;
throw new ApplicationException("Invoking Methods in Assembly - disabled");
}
else {
ResourceManager manager1 = new ResourceManager("FlashGateway", base.GetType().Assembly);
throw new ApplicationException(string.Format(manager1.GetStr ing("NoSuchService", Thread.CurrentThread.CurrentUICulture), flashContext.GetCurrentServiceName(), flashContext.GetCurrentFunctionName()));
}
object obj2 = adapter1.InvokeService(flashContext);
if (!this.m_adapterMap.ContainsKey(text1)) {
this.m_adapterMap.Add(text1, adapter1);
}
return obj2;
}

this is where the handler system in apache would be handy for you, where you can assign a handler specific based on your request to the webserver. i would report this however to MM, as its def a security risk. what version of iis did you produce this with? must admit i use openAMF tomcat and apache to do remoting so...

I use IIS 5.1 but I don't think it is a server problem. The problem is with MM remoting component. I am not familiar with the Apache request handler you are mentoining but I am not sure that can help you because you need first to analyse AMF message and that meens that you need another Remoting component between MM's and the client, and I think that is nonsens...

Ideally MM should make it possible in conf file to define a list of allowed namespaces, and I also can do it but I do not have time now....

look into the opensource remoting frameworks, and play a bit with them. there are a few.
amf might not be an open format but it is a hacked one.

in the bin directory with a proper handler you would be able to configure your own security implementation