tags:

views:

415

answers:

1
Q: 

What's the best way to secure a Flex-BlazeDS application?

What's the best way to secure a Flex-BlazeDS application? I've googled it an several solutions came up.

UPDATE after question from jsight:

  • Flex would login, so on the RemoteObject I'll set Credentials
  • I don't know if there comes authentication and authorization with BlazeDS (WebORB for instance does and WebORB looked at BlazeDS for their product)
  • SSL not needed
  • I've seen some links on the internet talking about spring security, so I'll check that out.

Authentication will be done by comparing user login with password to database.

+1  A: 

My 2 cents:

  • We a have a Flex application and our login screen is part of the Flex application. We don't use SSL but you may define a secure channel if you need it (but you don't);
  • We created our own instance of the adapter class on the server (that extends the one that comes with BlazeDS). The idea is that this class would check if the session for which that request belongs to has an authenticated user or not. In the Flex methods/ classes (on the Java side), we used annotations to inform the adapter class about requirements that must be satisfied in order for that method to be called - we call these annotations "FlexService" (for the class) and "FlexMethod" (for a method);
    • The main reason behind this is to avoid a method from being called if the user has not been authenticated before, and we want more granular control than just "block everybody". We have licensing requirements and this library is also responsible for checking if the user has a license and if that license still valid for each request.
  • Remember to hash your password before saving it to the database, and compare the hash only. You could hash it one time in the Flex client (so the open password is never sent to the server), and hash the hashed value again before saving it to the database (so that if someone obtain your database hashed passwords, he still cannot hack into your system because he won't have the original hashed value that was sent from the Flex client).

I am pretty sure I will get some downvotes if BlazeDS implements all of the above, but I didn't like what I found that was native to it, and I thought that using annotations was a good solution, especially because we were using annotations anyway to mark the methods that were BlazeDS methods (so IntelliJ would stop bothering us about methods that are not called anywhere).

Ravi Wallau  2010-02-24 20:46:17

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.