file upload in flex when IIS is set to 'integrated windows authentication'

Question

Hello,

I have a flex app that allows the user to upload a file. The flex side uses the FileReference.upload method that goes to an .aspx page that handles the upload. It works only intermittently when I have IIS set to integrated windows authentication. That said, for testing purposes,I wrote a separate aspx page that does a file upload and this always works....I'd like to leverage the file import,though, within the nice looking flex app and not kick off a new webpage for a file upload.

In looking at the IIS logs I have a hypothesis as to what's happening, and want to know if someone has full understanding as to why it may only intermittently work and can confirm or deny this:

1. Flex' FileReference upload guts does whatever it does on the client then initiates a POST request to my .aspx page. On the times it failes, the IIS logs state that IE didn't pass the credentials so denies the request then sends a 401 response.
2. I don't get this 401 response on the flex side even though I'm listening for HTTP status codes (flash bug?).
3. A new request is somehow immediately made to perform the upload again (it's not my code). I'm inferring this by looking at the IIS lgos which shows a second POST right after the previous one, only this time the user credentials are sent through, but the kicker is that the file the user uploaded is not uploaded this time. I infer this by the fact that the IIS logs show 0 bytes are posted, whereas the previous 401 request show a lot of bytes are POSTed.

On the times it does work, what happens is that the first request for the HTTP POST the FileReference makes so happens to send the windows credentials along, so the client is not challenged.

Can any body give any ideas on how to get the FileReference.upload to consistently work when integrated authentication is being used in IIS?

Chris

Answer 1

You can workaround the problems with FileReference.upload by having it always upload to a non-secured aspx page. Use a separate call in remoting/http/webservice prior to the upload to indicate to the server that you want to upload a file. Have the server pass back a random token to the client (and cache the token in memory). Then send the token as a GET variable along with the upload url. You can validate the token on the server and apply security through the token.

It's a hacky workaround, but works. We've done this before when we had a similar problem with QuickTime not making requests with the same session credentials.