views:

130

answers:

1

We have a Flex app that is currently loading an XML file that contains Multiple Choice Question data. I don't want a user to be able to access this file via http, but if I use HTTPService to load the file (what we're doing currently) it seems as though I have to place the XML file within the public_html folder on our server.

Is there a better way to load the XML file so that users wouldn't be able to see it in their activity viewer/access it via http://

Thanks!

+2  A: 

You could encrypt the XML file using a secret key between your service and the flex application.

I'm not familiar with how easy it is to disassemble a flex application, but be careful, because someone probably will be able to find either the key string or the XML data after it has been decrypted (by watching memory addresses, etc.)

If you just wanted a deterrent from being able to go to "appsite.com/data.xml" and snagging it, this would work.

I might recommend Blowfish as the encryption algorithm of choice.

Googling for "flex blowfish" returned this site which looks like it provides an encryption library for flex.

http://www.insideria.com/2008/04/encryption-in-flex-application-1.html

A couple of other suggestions (depending on the level of security you need, encryption might not even be worth it)

  • you could compare the Agent strings of the requester. Make your Http request use a custom user agent.

  • Supply a simple POST variable that unless it's set, you raise a 403 Error on the web service.

These last two suggestions are EASY to get around, but if you're just trying to deny the casual user, that should be enough. Like I said, it's all about the level of security you want.

Crowe T. Robot
Great ideas - thanks!
Julia