views:

2477

answers:

5

We can successfully consume a .NET 2.0 web service from a Flex/AS3 application. Aside from SSL, how else can we make the security more robust (i.e., authentication)?

A: 

If you're talking about securing the information going over the wire, you can use Web Service Extensions (WSE) to encrypt the body of the soap message so that you don't have to secure the channel. This way the message can get passed around from more than one endpoint (ie. it can get forwarded) and you don't need multiple https certs.

If you're talking abut autentication then you could do forms auth with either a password in the body or in the soap headers (once again either encrypt the body or the channel). Or one of the easiest ways to secure a webservice (if it's an internal set of services) is have IIS do it, turn on NTLM and do authentication there. You can do authorization later on in the pipeline with an HTTPModule that checks peoples credential against the code they're trying to call.

Tyler
A: 

Consider using WebOrb to communicate with your service. Here is some information on WebOrb's authentication mecahnism. There is also an article on Adobe's developer site on using WebOrb and .Net for authentication.

James Fassett
+2  A: 

You can leverage ASP.Net's built in session management by decorating your webmethods with

<EnableSession()>

Then, inside your method, you can check that the user still has a valid session.

matt eisenberg
A: 

You should be able to use asp.net's authentication (such as forms authentication) without much extra effort. Securing an asmx file is just like securing an aspx file. There's a ton of information on forms authentication out there, just search for 'asp.net forms authentication'

Jeff Schumacher
That's not quite right. Since flex/flash swf file(s) are downloaded on the client computer, it's easy to decompile them...
Frank
@Frank - If you're saving usernames / passwords in your action script, then you've got bigger problems to overcomes than worrying about someone decompiling your swf.
Jeff Schumacher
There are ways to verify user credentials _before_ giving access to the swf
Frank
A: 

If you are using Microsoft technologies you could build a little Asp.Net/C# application that would ask for credentials before redirecting to the correct swf.

That way you could restrict the access and have different swf file depending on the user.

Frank