[flexcoders] Restrict access to an API to only allowed applications
Hi, I'm looking for the best and most secure way to restrict access to a web API to only allowed applications. The best option I found is to use 2-Legged OAuth where applications would get a consumer key and a secret key. The problem here is that SWF files can be easily decompiled and the keys extracted. My questions here are: * Does anybody know a way to protect the keys? * Is there another authorization mechanism that is better suited for such client applications in general (Flash, JavaScript ...) Thanks. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com
Re: [flexcoders] Restrict access to an API to only allowed applications
You can embed the keys instead of keeping them in plain site. check this session I think you will find some useful stuff: http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ C From: Haykel BEN JEMIA hayke...@gmail.com To: flexcoders flexcoders@yahoogroups.com Sent: Monday, September 26, 2011 12:00 PM Subject: [flexcoders] Restrict access to an API to only allowed applications Hi, I'm looking for the best and most secure way to restrict access to a web API to only allowed applications. The best option I found is to use 2-Legged OAuth where applications would get a consumer key and a secret key. The problem here is that SWF files can be easily decompiled and the keys extracted. My questions here are: * Does anybody know a way to protect the keys? * Is there another authorization mechanism that is better suited for such client applications in general (Flash, JavaScript ...) Thanks. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com
[flexcoders] tv.adobe.com hacked??
The following course have been replaced by an ad for 'The Bourne Ultimatum'!! Hackers at work? http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com
Re: [flexcoders] tv.adobe.com hacked??
I do get the same trailer and then the streaming just freezes... Weird.
Re: [flexcoders] Restrict access to an API to only allowed applications
Thanks Claudiu, I have found a PDF of the presentation and on page 4 it says the following about protecting sensitive data through embedding: * Most decompilers don’t look at embedded data. * Given that SWF is an open file format, nothing is really stopping them from doing this in the future. * Useful for quick/dirty storage of WebService credentials. So this is definitly better than storing the keys in plain text format, but still easy to crack. Any other suggestions. Thanks, Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 11:33 AM, claudiu ursica the_bran...@yahoo.comwrote: ** You can embed the keys instead of keeping them in plain site. check this session I think you will find some useful stuff: http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ C -- *From:* Haykel BEN JEMIA hayke...@gmail.com *To:* flexcoders flexcoders@yahoogroups.com *Sent:* Monday, September 26, 2011 12:00 PM *Subject:* [flexcoders] Restrict access to an API to only allowed applications Hi, I'm looking for the best and most secure way to restrict access to a web API to only allowed applications. The best option I found is to use 2-Legged OAuth where applications would get a consumer key and a secret key. The problem here is that SWF files can be easily decompiled and the keys extracted. My questions here are: * Does anybody know a way to protect the keys? * Is there another authorization mechanism that is better suited for such client applications in general (Flash, JavaScript ...) Thanks. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com
Re: [flexcoders] Restrict access to an API to only allowed applications
The thing is that most client side apps implement security by obscurity which pretty much means that you will never be safe 100%, the only thing you do is not putting it in plain sight. So as you continue is add more level of obscurity, but as said that will only make it harder still not impossible to crack. You can double/triple that by server side checks e.g. trusted ips, domains, user etc. Whenever server feels like there is not enough trust should deny the connection. Obviously the topic is large enough to tackle in just a couple of lines, hopes this gives you a start ... C From: Haykel BEN JEMIA hayke...@gmail.com To: flexcoders@yahoogroups.com Sent: Monday, September 26, 2011 1:40 PM Subject: Re: [flexcoders] Restrict access to an API to only allowed applications Thanks Claudiu, I have found a PDF of the presentation and on page 4 it says the following about protecting sensitive data through embedding: * Most decompilers don’t look at embedded data. * Given that SWF is an open file format, nothing is really stopping them from doing this in the future. * Useful for quick/dirty storage of WebService credentials. So this is definitly better than storing the keys in plain text format, but still easy to crack. Any other suggestions. Thanks, Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 11:33 AM, claudiu ursica the_bran...@yahoo.com wrote: You can embed the keys instead of keeping them in plain site. check this session I think you will find some useful stuff: http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ C From: Haykel BEN JEMIA hayke...@gmail.com To: flexcoders flexcoders@yahoogroups.com Sent: Monday, September 26, 2011 12:00 PM Subject: [flexcoders] Restrict access to an API to only allowed applications Hi, I'm looking for the best and most secure way to restrict access to a web API to only allowed applications. The best option I found is to use 2-Legged OAuth where applications would get a consumer key and a secret key. The problem here is that SWF files can be easily decompiled and the keys extracted. My questions here are: * Does anybody know a way to protect the keys? * Is there another authorization mechanism that is better suited for such client applications in general (Flash, JavaScript ...) Thanks. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com
[flexcoders] Re: exclude certain classes from debugging session
Just use watch expressions to see only the items you are interested in. --- In flexcoders@yahoogroups.com, Wouter Schreuders wschreuders@... wrote: Hi All When debugging some code and stepping through or stepping over some code, is it possible to configure flex to not include certain classes in the debugging session or at least to entirely skip those classes from begin included in the debugging session(but they still need to execute, just don't want to see it) The reason for this is that sometimes I'm stepping though some code and there are certain classes just dont' want to know about (for instance tweening classes or robotlegs) Anyone know if this is possible? Thanks Wouter
Re: [flexcoders] Restrict access to an API to only allowed applications
What kind of access to the web API are you trying to prevent? What configurations need to use the API? If the API doesn’t need to be used by other servers, I thought you could check the headers and make sure the API is being called from a client served from your domain and deny all others. I think that’s the point of crossdomain.xml. -Alex On 9/26/11 5:35 AM, claudiu ursica the_bran...@yahoo.com wrote: The thing is that most client side apps implement security by obscurity which pretty much means that you will never be safe 100%, the only thing you do is not putting it in plain sight. So as you continue is add more level of obscurity, but as said that will only make it harder still not impossible to crack. You can double/triple that by server side checks e.g. trusted ips, domains, user etc. Whenever server feels like there is not enough trust should deny the connection. Obviously the topic is large enough to tackle in just a couple of lines, hopes this gives you a start ... C From: Haykel BEN JEMIA hayke...@gmail.com To: flexcoders@yahoogroups.com Sent: Monday, September 26, 2011 1:40 PM Subject: Re: [flexcoders] Restrict access to an API to only allowed applications Thanks Claudiu, I have found a PDF of the presentation and on page 4 it says the following about protecting sensitive data through embedding: * Most decompilers don’t look at embedded data. * Given that SWF is an open file format, nothing is really stopping them from doing this in the future. * Useful for quick/dirty storage of WebService credentials. So this is definitly better than storing the keys in plain text format, but still easy to crack. Any other suggestions. Thanks, Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 11:33 AM, claudiu ursica the_bran...@yahoo.com wrote: You can embed the keys instead of keeping them in plain site. check this session I think you will find some useful stuff: http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ C From: Haykel BEN JEMIA hayke...@gmail.com To: flexcoders flexcoders@yahoogroups.com Sent: Monday, September 26, 2011 12:00 PM Subject: [flexcoders] Restrict access to an API to only allowed applications Hi, I'm looking for the best and most secure way to restrict access to a web API to only allowed applications. The best option I found is to use 2-Legged OAuth where applications would get a consumer key and a secret key. The problem here is that SWF files can be easily decompiled and the keys extracted. My questions here are: * Does anybody know a way to protect the keys? * Is there another authorization mechanism that is better suited for such client applications in general (Flash, JavaScript ...) Thanks. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com -- Alex Harui Flex SDK Team Adobe System, Inc. http://blogs.adobe.com/aharui
Re: [flexcoders] Restrict access to an API to only allowed applications
Access should only be granted to applications approved by the team. At the beginning these will be our own applications but we want to approve apps from other developers in the future. Your suggestion works for web applications and we are planning to use it, but it can not be used for AIR applications. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 4:04 PM, Alex Harui aha...@adobe.com wrote: ** What kind of access to the web API are you trying to prevent? What configurations need to use the API? If the API doesn’t need to be used by other servers, I thought you could check the headers and make sure the API is being called from a client served from your domain and deny all others. I think that’s the point of crossdomain.xml. -Alex On 9/26/11 5:35 AM, claudiu ursica the_bran...@yahoo.com wrote: The thing is that most client side apps implement security by obscurity which pretty much means that you will never be safe 100%, the only thing you do is not putting it in plain sight. So as you continue is add more level of obscurity, but as said that will only make it harder still not impossible to crack. You can double/triple that by server side checks e.g. trusted ips, domains, user etc. Whenever server feels like there is not enough trust should deny the connection. Obviously the topic is large enough to tackle in just a couple of lines, hopes this gives you a start ... C -- *From:* Haykel BEN JEMIA hayke...@gmail.com *To:* flexcoders@yahoogroups.com *Sent:* Monday, September 26, 2011 1:40 PM *Subject:* Re: [flexcoders] Restrict access to an API to only allowed applications Thanks Claudiu, I have found a PDF of the presentation and on page 4 it says the following about protecting sensitive data through embedding: * Most decompilers don’t look at embedded data. * Given that SWF is an open file format, nothing is really stopping them from doing this in the future. * Useful for quick/dirty storage of WebService credentials. So this is definitly better than storing the keys in plain text format, but still easy to crack. Any other suggestions. Thanks, Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 11:33 AM, claudiu ursica the_bran...@yahoo.com wrote: You can embed the keys instead of keeping them in plain site. check this session I think you will find some useful stuff: http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ C -- *From:* Haykel BEN JEMIA hayke...@gmail.com *To:* flexcoders flexcoders@yahoogroups.com *Sent:* Monday, September 26, 2011 12:00 PM *Subject:* [flexcoders] Restrict access to an API to only allowed applications Hi, I'm looking for the best and most secure way to restrict access to a web API to only allowed applications. The best option I found is to use 2-Legged OAuth where applications would get a consumer key and a secret key. The problem here is that SWF files can be easily decompiled and the keys extracted. My questions here are: * Does anybody know a way to protect the keys? * Is there another authorization mechanism that is better suited for such client applications in general (Flash, JavaScript ...) Thanks. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com -- Alex Harui Flex SDK Team Adobe System, Inc. http://blogs.adobe.com/aharui
Re: [flexcoders] Restrict access to an API to only allowed applications
yeah you have just confirmed my 'fear' that for client applications there is actually no secure way to identify them because anything they include (data, algorithms etc.) can be cracked and the identification process can be reproduced. We can only try to make it as hard as possible. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 1:35 PM, claudiu ursica the_bran...@yahoo.comwrote: ** The thing is that most client side apps implement security by obscurity which pretty much means that you will never be safe 100%, the only thing you do is not putting it in plain sight. So as you continue is add more level of obscurity, but as said that will only make it harder still not impossible to crack. You can double/triple that by server side checks e.g. trusted ips, domains, user etc. Whenever server feels like there is not enough trust should deny the connection. Obviously the topic is large enough to tackle in just a couple of lines, hopes this gives you a start ... C -- *From:* Haykel BEN JEMIA hayke...@gmail.com *To:* flexcoders@yahoogroups.com *Sent:* Monday, September 26, 2011 1:40 PM *Subject:* Re: [flexcoders] Restrict access to an API to only allowed applications Thanks Claudiu, I have found a PDF of the presentation and on page 4 it says the following about protecting sensitive data through embedding: * Most decompilers don’t look at embedded data. * Given that SWF is an open file format, nothing is really stopping them from doing this in the future. * Useful for quick/dirty storage of WebService credentials. So this is definitly better than storing the keys in plain text format, but still easy to crack. Any other suggestions. Thanks, Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 11:33 AM, claudiu ursica the_bran...@yahoo.comwrote: ** You can embed the keys instead of keeping them in plain site. check this session I think you will find some useful stuff: http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ C -- *From:* Haykel BEN JEMIA hayke...@gmail.com *To:* flexcoders flexcoders@yahoogroups.com *Sent:* Monday, September 26, 2011 12:00 PM *Subject:* [flexcoders] Restrict access to an API to only allowed applications Hi, I'm looking for the best and most secure way to restrict access to a web API to only allowed applications. The best option I found is to use 2-Legged OAuth where applications would get a consumer key and a secret key. The problem here is that SWF files can be easily decompiled and the keys extracted. My questions here are: * Does anybody know a way to protect the keys? * Is there another authorization mechanism that is better suited for such client applications in general (Flash, JavaScript ...) Thanks. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com
[flexcoders] Re: toggling checkbox's enabled field in datagrid
Oh my goodness, I promise I tried this before posting to the group, but I tried it again and it does work. Of course. Thank you so much! Carrie --- In flexcoders@yahoogroups.com, turbo_vb TimHoff@... wrote: Have you tried this: mx:CheckBox id=cb selected={ data.fired } enabled={ data.type != 0 } / -TH --- In flexcoders@yahoogroups.com, carriecharp carriecharp@ wrote: I've inherited some code to update and I could use some help. I have an Advanced Data Grid where one column uses a custom checkbox component. It's very simple with the checkbox's selected field controlled by column's datafield, which is a Boolean named 'fired'. I want to have the checkbox enabled only in certain situations, dependent upon a second field , an int called 'type'. Basically, enabled = (type!=0). 'type' is a field in the grid's dataprovider and I want to set the enabled field in the declaration below but I can't figure out how to reference the 'type' field. Any guidance is appreciated! Thanks, Carrie mx:Component id=cbEditor mx:HBox horizontalAlign=center backgroundAlpha=1 width=100% mx:Script ![CDATA[ public var selected:Boolean; ]] /mx:Script mx:CheckBox id=cb selected={data.fired} click=selected=data.fired=cb.selected; width=15/ /mx:HBox /mx:Component
Re: [flexcoders] Restrict access to an API to only allowed applications
The problem with making it as hard as possible is the overhead on your client application. decrypting a lot of data is a processer intensive operation and your own UI could suffer, while someone stealing data could decrypt it in C and republish that data unencrypted, giving their UI the edge over yours. On Mon, Sep 26, 2011 at 6:45 PM, Haykel BEN JEMIA hayke...@gmail.comwrote: ** yeah you have just confirmed my 'fear' that for client applications there is actually no secure way to identify them because anything they include (data, algorithms etc.) can be cracked and the identification process can be reproduced. We can only try to make it as hard as possible. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 1:35 PM, claudiu ursica the_bran...@yahoo.comwrote: ** The thing is that most client side apps implement security by obscurity which pretty much means that you will never be safe 100%, the only thing you do is not putting it in plain sight. So as you continue is add more level of obscurity, but as said that will only make it harder still not impossible to crack. You can double/triple that by server side checks e.g. trusted ips, domains, user etc. Whenever server feels like there is not enough trust should deny the connection. Obviously the topic is large enough to tackle in just a couple of lines, hopes this gives you a start ... C -- *From:* Haykel BEN JEMIA hayke...@gmail.com *To:* flexcoders@yahoogroups.com *Sent:* Monday, September 26, 2011 1:40 PM *Subject:* Re: [flexcoders] Restrict access to an API to only allowed applications Thanks Claudiu, I have found a PDF of the presentation and on page 4 it says the following about protecting sensitive data through embedding: * Most decompilers don’t look at embedded data. * Given that SWF is an open file format, nothing is really stopping them from doing this in the future. * Useful for quick/dirty storage of WebService credentials. So this is definitly better than storing the keys in plain text format, but still easy to crack. Any other suggestions. Thanks, Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com On Mon, Sep 26, 2011 at 11:33 AM, claudiu ursica the_bran...@yahoo.comwrote: ** You can embed the keys instead of keeping them in plain site. check this session I think you will find some useful stuff: http://tv.adobe.com/watch/360flex-conference/encrypting-flex-protecting-revenue-by-andrew-westberg/ C -- *From:* Haykel BEN JEMIA hayke...@gmail.com *To:* flexcoders flexcoders@yahoogroups.com *Sent:* Monday, September 26, 2011 12:00 PM *Subject:* [flexcoders] Restrict access to an API to only allowed applications Hi, I'm looking for the best and most secure way to restrict access to a web API to only allowed applications. The best option I found is to use 2-Legged OAuth where applications would get a consumer key and a secret key. The problem here is that SWF files can be easily decompiled and the keys extracted. My questions here are: * Does anybody know a way to protect the keys? * Is there another authorization mechanism that is better suited for such client applications in general (Flash, JavaScript ...) Thanks. Haykel Ben Jemia Allmas Web RIA Development http://www.allmas-tn.com -- j:pn \\no comment
[flexcoders] paging
can anybody help me in creating paging for datagrid using coldfuion and oracle?
Re: [flexcoders] tv.adobe.com hacked??
Adobe's been alerted and are investigating. On Mon, Sep 26, 2011 at 5:31 AM, claudiu ursica the_bran...@yahoo.comwrote: ** I do get the same trailer and then the streaming just freezes... Weird.
[flexcoders] css in flex 4
i everybody I have my mx:Button label=test width=140 styleName=rightAlignDataGridCol mouseEnabled=false top=0 x=23 fillAlphas=[1.0, 1.0, 1.0, 1.0] / I want to migration to flex 4 so for s:Button label=test width=140 styleName=rightAlignDataGridCol mouseEnabled=false top=0 x=23 fillAlphas=[1.0, 1.0, 1.0, 1.0] /
[flexcoders] Sprite's children are drawn backwards after fullscreen.
Hi, I am creating a pure as3 game and I was using the last version of flex sdk and compiling to last player version. Now I using flex 3.6 and compiling to player version 9.0.280 and that change created a wierd problem: Every time I set the game to fullscreen a sprite's children are drawn backwards when creating it for the first time and they are drawn correctly when creating it again. I did some tests writing the sprite's children indices (getChildIndex()) and to my surprise they actually appear reversed at the first time the it is created. In another test the problem didn't happen when running the game in a browser with the last player version installed indicating the problem is in the flash player 9.0.280. Has anyone ever seen problem? Is there a way to fix it in player 9.0.280?