- Home
- Tutorials
- Flash
- Intermediate
- Flash Remoting & FlashCom Server
Securing Access
ActionScript.org Staff
The http://ActionScript.org Staff are Jesse Stratford and Evgueni Strok. The original founders of this site in 2000, Strok and Jesse live thousands of miles from each other and have never met in person...
Copyright © 2004 O'Reilly Media, Inc. All Rights Reserved. |  |
| This content is excerpted from the above-named O'Reilly publication, with permission, by agreement with ActionScript.org. | |
Protecting the server resources and the content that is shipped over the network is important to keeping unwanted intruders out of your application. When implementing a remoting method that requires the data to be secure, the best way to encrypt the data is to implement the remoting from the client to the server over an SSL connection. Since remote data that needs to be secure is typically personal information, this should be handled between a client application and an authenticating server, as described in Chapter 18. This can easily be done with a SWF running in the browser and connecting to the gateway with:
https://www.yourserver.com/flashservices/gateway
Protecting the remote methods on the server is also important. If you
enable a remote method for public access, it is likely that those
methods can be accessed from outside of your application.
Fortunately, most remoting implementations provide a way to protect
the methods with roles-based security. In ColdFusion, you can add the
roles attribute to the method declaration (the
<cffunction> tag) to restrict the access of
the method to users who have been authenticated on the server and
have been declared with the specific role:
<cffunction name="remoteMethod" access="remote" roles="authenticatedUser">
<!--- method body -->
</cffunction>
By declaring the role on the method, you force the user to log into the server before he can access the method. This can be done in two ways. The first way is to implement the setCredentials( ) method on the client:
#include "NetServices.as"
NetServices.setDefaultGatewayUrl("http://www.yourhost.com/flashservices/gateway");
my_conn = NetServices.createGatewayConnection( );
my_conn.setCredentials("username", "password");
The setCredentials( ) method adds a
Credentials header to the outbound AMF packet and
forces the server to initialize the login routine. In ColdFusion,
this is usually defined in the Application.cfm
file within a <cflogin> tag. Inside the
<cflogin> tag, you define the authentication
mechanism to verify the username and password passed in the
Credentials header. Alternatively, you can also
create your own custom login routine by declaring a public method
that is not restricted with a roles attribute that
will log in the user with the <cfloginuser>
tag.
If your FlashCom application relies heavily upon remoting and you absolutely need the FlashCom application server data to be secure, you can create your network so only the FlashCom Server can access the resources defined on the server. This will guarantee that only the FlashCom Server has access to the remote resources and they cannot be abused by an outside party. See Chapter 18 for more information on security.
Conclusion
This chapter has demonstrated how Flash Remoting can be used to add data connectivity to FlashCom applications. Flash Remoting can access web services, server-side scripts, CGI applications, XML files, or the local filesystem with the help of an application server such as ColdFusion. Just your luck, the next chapter covers ColdFusion to perform numerous utility functions and database queries not possible with FlashCom alone.
We're almost done with our tour of FlashCom internals and associated technologies. By now, you should have a solid theoretical foundation but you may be having trouble seeing the forest for the trees. Don't fret; subsequent chapters deal with component frameworks, application development, performance tuning, security, and more.
