views:

818

answers:

2

I have a Flex frontend connecting via RemoteObject to Zend Framework's Zend Amf. This is my only means to transport data between client layer (Flex) and the application and persistence layers (LAMP with Zend Framework). Some ways I can address security are as follows:

  1. I can address TLS by using mx.messaging.channels.SecureAMFChannel in my services-config.xml file and ensuring Flash player is loaded into a HTTPS wrapper and is in fact using HTTPS since the AMF protocol is layered on top of HTTP
  2. RemoteObject has a setCredentials method with which I can pass AMF authentication headers to protect user related data. Assuming TLS was actually secure I can expose methods on the endpoint after authenticating the User.
  3. I can protect against cross-site scripting and other FLASH vulnerabilities with a properly set up crossdomain.xml

The question I have is how to I protect my endpoint against another AMF consumer? For instance, if there were another AMF consumer (not Flash so not bound by crossdomain.xml and Flash sandbox security) other than my Flex client that knew my endpoint, what would stop it from using methods that the endpoint exposes?

As far as I know I essentially need a way to authenticate my Flex application against my Zend Amf endpoint. After AMF consumer authentication, I have some of the security mechanisms I mentioned above to protect certain pieces of data (like User authentication). I can not embed some sort of authentication mechanism into my Flex swf because the swf is vulnerable to decompilation (the swf can not be trusted). While sensitive data is protected via User authentication the unprotected data is hardly public but as far as I can tell is totally open for public consumption.

A: 

You cannot prevent anyone from sending arbitrary HTTP requests to your endpoint. If your Flex application authenticates users against the server, and the server only serves sensitive data if the request has proper credentials / session IDs on it, everything is fine. What you can not do is authenticate the user and only store within the client that the user is authenticated. Since HTTP is a stateless protocol, the server must be able to authorize each request individually. It's the same thing with "regular" websites and AJAX.

Simon
A: 

AMF client can not know who called them unless some sort of authentication is provided. Any HTTP request that Flex sends could be emulated by non-Flex means, and as you correctly noted, any embedded key could be extracted. So there's no generic solution for this, though you could probably work something out if you gave your client certificates for HTTPS connection and made the server check the client certificates.

StasM