tags:

views:

66

answers:

2
Q: 

How to protect credentials during Flex ChannelSet.login?

It has just occurred to me that when my Flex application does a ChannelSet.login, it is essentially sending the username and password over the wire in an unencrypted form to the BlazeDS server. While I use the binary AMF protocol over an AMFChannel, it would take nothing for somebody to sniff these passwords.

Most of my clients do not want to run their application on an https (SSL) protected site. So what is the best way to do this? I use Spring security on the backend to do authentication.

Should I encrypt the credentials myself before calling login? I guess then I would need to know the server-side encryption algorthym.

Thoughts?

+1  A: 

Without SSL you can only resort to a shared encryption technique between client and server. In that case you can implement a custom LoginCommand in BlazeDS that will decrypt the incoming encrypted username/credentials for use on the server side.

There are other techniques (SSO, PreAuthentication, SessionKeys) but if your clients wont shell out for SSL or be prepared to force their users to use a self signed Selg Signed SSL certificate, then i doubt they will go for the alternatives.

If you are that worried about the username/password being comprpmised, then the minimum requirement is SSL when using ChannelSet.login with username/password.

A good solution in my humble opinion is a login via HTTPS with username/password, which the issues a session key, you can then use the username/sessionkey over HTTP to check that an oncoming non-secure request is from an authemticated user. The sessionkeys timeout after an arbitrary amount of time.

David Collie  2010-09-18 09:48:42
Looks like shared encryption is the way to go. Could probably use the username as a salt. I know there is no way to stop a determined cracker, but anything is better than nothing.
HDave  2010-09-18 19:59:59
A: 

If you are using Java the best way is use Spring Security.

http://www.adobe.com/devnet/flex/articles/flex_security.html in english

AntuanF1  2010-09-20 07:47:03
Thats a nice article, but the author's code suffers from the same fatal security flaw this question poses. His Flex client sends the username and password unencrypted "in the clear" to the Spring security back-end for authentication. The solution is trivial to crack. It's like having a huge, bullet-proof safe with the combination written on a post-it note stuck to the door!
HDave  2010-09-20 14:21:33

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.