We don't use Flex to access our Web Services; We use PHP or Perl. To stop unauthorized access we use a combination of SSL as well as wssecurity (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd).
I don't know if Flex allows you to create SOAP Headers but if it does you could use WSSecurity. If not, you could add a layer in the middle, say written in PHP, to contact your Web Service and use, say, WebORB to return the data to your Flex application. --- In flexcoders@yahoogroups.com, "richclient" <[EMAIL PROTECTED]> wrote: > > Our flex application is using <mx:WebService> where the web service is a ColdFusion CFC. > Works great. Now we need to deploy the application and the web service in a production > environment across SSL, and ensure that not just any application can call that web service. > > With Flex calling the ColdFusion web service, we cannot hold the credentials in a session > scope because there isn't one for a web service. (?) How do we make sure no unauthorized > consumers succeed in getting data back from our web service calls? Are we going to have to > pass credentials to the web service on every call? >
