tags:

views:

446

answers:

2
+1  Q: 

Basic Authentication with Flash

This is *** unbelievable! Flash programmers are familiar with the example:

var req:URLRequest = new URLRequest("http://yoursite.com/yourservice.ext");
req.method = URLRequestMethod.POST;
req.data = new URLVariables("name=John+Doe");

var encoder:Base64Encoder = new Base64Encoder();        
encoder.encode("yourusername:yourpassword");

var credsHeader:URLRequestHeader = new URLRequestHeader("Authorization", "Basic " + encoder.toString());
req.requestHeaders.push(credsHeader);

var loader:URLLoader = new URLLoader();
loader.load(req);

OK... great... that realy works. As you can see I manually add a header Authorization for Basic HTTP authentication. BUT... if I change request metod from POST to GET, the header is not generated.

Is there anyone that knows a solution? 1000x thx!

+2  A: 

I'm surprised you've even been able to get it to work with a POST request. In December 2007, Flash Player was updated to explicitly disallow the Authorization header. I guess it's possible that they've since re-allowed it. But I'd be surprised by that.

Beyond specific issues with the Authorization header, I'm pretty sure that Flash Player will only send customer request headers with a POST request. I'm sorry I don't have a link for that, but at my firm we use Flash Player extensively to work with Restful web services, and we've had to implement all kinds of workarounds to make things work.

Bottom line, Flash Player has awful support for HTTP. In fact, our set of workaround is activated by sending the request header X-Crippled-Client: true, which tells our services to interpret requests, and send responses, in mangled ways. It's a real pain in the butt.

Sorry I can't be more helpful… good luck!

Avi Flax  2009-11-03 01:28:41
+1  A: 

@Flax: yup, I couldn't agree more on flash security with HTTP headers. But there is one more way to do this, but that requires bit of work. Try using Socket instead of URLLoader, because Socket don't have those kind of restrictions. So for HTTP request open a socket to port 80 of the server (http://yoursite.com/). As soon as it is connected to server, send all your http request headers. Then on SocketDataEvent, parse the data and read (or discard) the response headers, and proceed with the data.

bhups  2009-11-03 06:42:08
Yea... i did this... but now I have problem with crossdomain security :). Sockets will do the trick for non HTTP servers like chat server where you can manualy satisfy flash with crossdomain (example: http://coderslike.us/2009/01/23/flash-socket-code-and-crossdomain-policy-serving/).
xpepermint  2009-11-10 08:53:14
here you can use Security.loadPolicyFile("http://www.yoursite.com/crossdomain.xml"); before connecting on the Socket.
bhups  2009-11-10 09:10:12

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.