Need to set cookie header on AIR use of SWFLoader to retrieve remote Flex .swf file

Question

Am coding an AIR 1.5 app in which I want to do a remote load of a Flex .swf file from a web server.

I'm using Flex 3.2 SDK and attempting to use the sub-application feature via SWFLoader. I've been referencing the Developing and loading sub-applications document on how to do this.

I can indeed successfully load the Flex .swf file from a remote web server and it is loaded into a remote sandbox. The running forms of this .swf file even respect the transparency setting I've set on the AIR native window.

Here is the rub:

For a production situation, our web server uses Spring Security to deflect any unauthorized access to a login web page (this is the case for normal development/QA build deployments as well). If a successful login has been done, then the response of the login sets a cookie. This cookie header should be present on all subsequent HTTP interactions that seek to retrieve content from the site.

I can't figure out how to set a cookie header on my uses of SWFLoader to retrieve Flex .swf files.

How can I use SWFLoader to retrieve files from a web site that is being guarded with Spring Security (which is a widely used means of securing access to Java-based web sites - it used to be called Acegi security before melding with Spring Source).

Running our Flex-based code was a snap when running it in a browser Flash Player sandbox - the Spring Security stuff was managed just swell by the browser. Trying to run our Flex-based app in AIR as a sub-application within the safe confines of a remote sandbox is proving to be a hellish experience, though.

The AIR HTML control, though it works with Spring Security well enough, is a no-go because any .swf or .pdf content loaded will not show up if transparency is set to true on the AIR native window. Our particular UI design absolutely mandates transparency be set to true as we're doing MDI child windows that float on the user desktop.

Answer 1

I solved this problem by chaining the use of an AIR HTML control in conjunction to use of SwfLoader to then load the desired remote .swf file.

I wrote a JavaScript function on an HTML web page that my AIR app loads into an HTML instance (when the page complete event fires, it is then safe to call the JavaScript function from AIR Flex code - the Flex code can, of course, handle the HTML complete event).

This JavaScript function uses XmlHttpRequest() to login to the web site that uses Spring Security for authorization. A Set-Cookie header gets processed upon a successful login. When the response for the XmlHttpRequest() is complete then a synthetic click event is dispatched on a dummy DIV object that has been placed on the web page. AIR Flex code is able to register for and process this synthetic click event.

Upon processing the click event, the AIR Flex code then knows it is safe to proceed to instantiate a SwfLoader instance. When the complete event from the SwfLoader object fires, then the object reference of the SwfLoader is placed in the AIR app display list.

The user then sees the remotely loaded swf file begin to execute and show its own UI. It is running in a sub-application remote sandbox context. The sub-application feature is supported in Flex SDK 3.2 via the SwfLoader control.

So the AIR app is managing the cookie header that was established by the HTML control. That cookie header is emitted in the HTTP request of the SwfLoader control when it is used to load the remote .swf file. Spring Security filter sees this and finds the request to be from an authenticated user session.