[flexcoders] Re: mx:LineChart Vertical Axis Label Placement
--- In flexcoders@yahoogroups.com, geoffreymina [EMAIL PROTECTED] wrote: Is there a simple way to have vertical axis labels show up on both the right and left sides of a chart? I have a very wide chart and it would be helpful if there were reference points on both sides. Thanks in advance. Geoff Anyone?
[flexcoders] mx:LineChart Vertical Axis Label Placement
Is there a simple way to have vertical axis labels show up on both the right and left sides of a chart? I have a very wide chart and it would be helpful if there were reference points on both sides. Thanks in advance. Geoff
[flexcoders] Re: crossdomain.xml... real or not-so-real security?
My concern in regards to the crossdomain.xml came about when I realized that the security in the CFMX7 environment as it relates to the Flex2Gateway isn't very tight (or I am missing something). I have another thread rolling along in which I am trying to determine why my CF server is allowing public methods to be accessed via the Flex2Gateway when the /CfusionMX7/wwwroot/WEB-INF/flex/services- config.xml specifically states that only remote access is allowed. I started trying to figure out what other options I had to ensure that only my SWF had access to my CFC files. I naturally looked into the Flash runtime security model, but it appears that this isn't really what I am looking for either. thanks, Geoff --- In flexcoders@yahoogroups.com, Abdul Qabiz [EMAIL PROTECTED] wrote: Both server and workstation are owned by evil guy...As said earlier, a determined person doesn't even need a server, most of things (data- access) is doable from local SWF... I am missing something, let me try to understand your point. What you mean by which then gives it access to my server at www.foo.com. ? Are you concerned about data (xml, rss, server-side scripts etc) access? Are you concerned about XSS (Cross Site Scripting - like reading cookies etc)? -abdul On 10/30/07, geoffreymina [EMAIL PROTECTED] wrote: You guys misunderstood what I was talking about. Here is the landscape: Server 1: (www.foo.com) Owned by me and I have a crossdomain.xml which allows access to *.foo.com. This server is NOT compromised and nobody is modifying any files. Server 2: (www.evil.com) Owned by malicious user. A Flash file is loaded on this server. The flash file makes calls to www.foo.com which under normal circumstances would NOT be allowed to access data on my server because of the crossdomain only allowing access from *.foo.com. Workstate 1: Owned by malicious user. The user makes a local host entry for evil.foo.com which points to the same IP as www.evil.com. the malicious flash file is loaded under the evil.foo.com host header which then gives it access to my server at www.foo.com. As you can see, no computers are compromised, yet the crossdomain.xml model fails under VERY simple circumstances. Basically what I am getting at is that crossdomain.xml really provides very little security at any layer. --- In flexcoders@yahoogroups.com flexcoders% 40yahoogroups.com, Abdul Qabiz abdul.qabiz@ wrote: If that same evil person can get to your hosts file, that's the fault of the OS and not Flash. Yup! Machine is already compromised and that guy can do lots of other things :) -abdul On 10/27/07, Alex Harui aharui@ wrote: That's right. The goal of crossdomain.xml is to limit what an evil person can do in a SWF served over the web so that the unsuspecting Web citizen isn't burned. It does not block access to the contents from someone who has the desire to see the content on their machine. If that same evil person can get to your hosts file, that's the fault of the OS and not Flash. -- *From:* flexcoders@yahoogroups.com flexcoders% 40yahoogroups.com [mailto:flexcoders@yahoogroups.com flexcoders% 40yahoogroups.com] *On Behalf Of *Abdul Qabiz *Sent:* Friday, October 26, 2007 1:40 PM *To:* flexcoders@yahoogroups.com flexcoders% 40yahoogroups.com *Subject:* Re: [flexcoders] crossdomain.xml... real or not-so- real security? Isn't it like running a standalone SWF which can access network and local data (provided u have right trust config)? Why to run a internal server and create host entry? SWF in AIR/Standalone can access data from foo.com. Can you put (give an example) this use-case in context of internet (public)? -abdul On 10/26/07, *geoffreymina* geoffreymina@ wrote: Say there is a site which has a crossdomain.xml defined: http://www.foo.com/crossdomain.xml with allow-access-from domain=*.foo.com/ If I were to load an SWF file on my internal webserver and create a local host file which contained an entry for fake.foo.com could I then load the SWF file from fake.foo.com and access data on www.foo.com? If this is the case, then it seems to me that crossdomain.xml is really just something to make people feel warm and fuzzy... and not at all a real security measure. Thanks, Geoff -- -abdul --- http://abdulqabiz.com/blog/ --- -- -abdul --- http://abdulqabiz.com/blog/ --- -- -abdul --- http
[flexcoders] Re: crossdomain.xml... real or not-so-real security?
You guys misunderstood what I was talking about. Here is the landscape: Server 1: (www.foo.com) Owned by me and I have a crossdomain.xml which allows access to *.foo.com. This server is NOT compromised and nobody is modifying any files. Server 2: (www.evil.com) Owned by malicious user. A Flash file is loaded on this server. The flash file makes calls to www.foo.com which under normal circumstances would NOT be allowed to access data on my server because of the crossdomain only allowing access from *.foo.com. Workstate 1: Owned by malicious user. The user makes a local host entry for evil.foo.com which points to the same IP as www.evil.com. the malicious flash file is loaded under the evil.foo.com host header which then gives it access to my server at www.foo.com. As you can see, no computers are compromised, yet the crossdomain.xml model fails under VERY simple circumstances. Basically what I am getting at is that crossdomain.xml really provides very little security at any layer. --- In flexcoders@yahoogroups.com, Abdul Qabiz [EMAIL PROTECTED] wrote: If that same evil person can get to your hosts file, that's the fault of the OS and not Flash. Yup! Machine is already compromised and that guy can do lots of other things :) -abdul On 10/27/07, Alex Harui [EMAIL PROTECTED] wrote: That's right. The goal of crossdomain.xml is to limit what an evil person can do in a SWF served over the web so that the unsuspecting Web citizen isn't burned. It does not block access to the contents from someone who has the desire to see the content on their machine. If that same evil person can get to your hosts file, that's the fault of the OS and not Flash. -- *From:* flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] *On Behalf Of *Abdul Qabiz *Sent:* Friday, October 26, 2007 1:40 PM *To:* flexcoders@yahoogroups.com *Subject:* Re: [flexcoders] crossdomain.xml... real or not-so-real security? Isn't it like running a standalone SWF which can access network and local data (provided u have right trust config)? Why to run a internal server and create host entry? SWF in AIR/Standalone can access data from foo.com. Can you put (give an example) this use-case in context of internet (public)? -abdul On 10/26/07, *geoffreymina* [EMAIL PROTECTED] wrote: Say there is a site which has a crossdomain.xml defined: http://www.foo.com/crossdomain.xml with allow-access-from domain=*.foo.com/ If I were to load an SWF file on my internal webserver and create a local host file which contained an entry for fake.foo.com could I then load the SWF file from fake.foo.com and access data on www.foo.com? If this is the case, then it seems to me that crossdomain.xml is really just something to make people feel warm and fuzzy... and not at all a real security measure. Thanks, Geoff -- -abdul --- http://abdulqabiz.com/blog/ --- -- -abdul --- http://abdulqabiz.com/blog/ ---
[flexcoders] Re: Flex2Gateway Security Question
Well my current [local] services-config.xml is set to allow public invocations and the file on my remote server contains the following: [C:\CFusionMX7\wwwroot\WEB-INF\flex\services-config.xml] method-access-levelremote/method-access-level Now, all my Flex applications that I am compiling locally are able to access public methods on my remote server... is this not the instance of the file I should be configuring? If this is the file which is _supposed_ to control access, it certainly isn't doing a very good job. thanks, Geoff --- In flexcoders@yahoogroups.com, Derrick Anderson [EMAIL PROTECTED] wrote: Anyone who is compiling Flex applications with a local services- config.xml can control whether THEY want to access MY remote or public methods... that can't be right. no, it's not- the settings that are in the file you use to compile against are not hard-wired into the compiled app, if your server file has settings that say not to allow execution of public methods, that's what happens, regardless of the services-config.xml that was used in compiling. That's how i understand it to work anyway- anybody who knows different feel free to correct me. what seems to be important though is the 'path' to the services- config file used in your compiler arguments. it looks at that path on the server to see where the services-config file is, then whatever you have set in method-access-level is what is used. i don't even have CF installed on my development box, only a copy of services-config.xml in the same path as it is on the server, so that when i compile and send it to the server it all works. i agree that it's confusing and there must be a better way or some much better documentation for how all that stuff works. On 10/29/07, geoffreymina [EMAIL PROTECTED] wrote: OK, I am not using FDS or CFMX8 so I guess the config is all done in the services-config.xml file. The problem I have with that is the fact that we are talking about a client side compiler file which is supposed to control server side security... seems like an extremely flawed model! Anyone who is compiling Flex applications with a local services- config.xml can control whether THEY want to access MY remote or public methods... that can't be right. The crossdomain.xml is certainly not a solution because of the ability to spoof DNS... So basically what this comes down to is that if I want to run my Flex2Gateway, every public method on my system is exposed to the world. Or am I missing something much larger... Thanks, Geoff --- In flexcoders@yahoogroups.com flexcoders% 40yahoogroups.com, Derrick Anderson no.way.this.is.in.use@ wrote: services-config.xml is the right file, i think remoting-config is for when using LCDS but i'm not really sure on that, look for method-access-levelremote/method-access-level in your destination definition. On 10/26/07, geoffreymina geoffreymina@ wrote: Thanks for the answer. I only have the services-config.xml where is the remoting-config.xml file? Is this server side, or client side? Thanks, Geoff --- In flexcoders@yahoogroups.com flexcoders% 40yahoogroups.comflexcoders%40yahoogroups.com, João Fernandes joaopedromartinsfernandes@ wrote: by default you can only invoke remote functions, not public ones. To allow public functions to be called from a flex front-end you need to change de configuration of the ColdFusion destination. Check the remoting-config.xml if you have the method-access- level property set to remote. To allow both public and remote this value is set to 'public and remote'. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org
[flexcoders] Re: Flex2Gateway Security Question
OK, I am not using FDS or CFMX8 so I guess the config is all done in the services-config.xml file. The problem I have with that is the fact that we are talking about a client side compiler file which is supposed to control server side security... seems like an extremely flawed model! Anyone who is compiling Flex applications with a local services- config.xml can control whether THEY want to access MY remote or public methods... that can't be right. The crossdomain.xml is certainly not a solution because of the ability to spoof DNS... So basically what this comes down to is that if I want to run my Flex2Gateway, every public method on my system is exposed to the world. Or am I missing something much larger... Thanks, Geoff --- In flexcoders@yahoogroups.com, Derrick Anderson [EMAIL PROTECTED] wrote: services-config.xml is the right file, i think remoting-config is for when using LCDS but i'm not really sure on that, look for method-access-levelremote/method-access-level in your destination definition. On 10/26/07, geoffreymina [EMAIL PROTECTED] wrote: Thanks for the answer. I only have the services-config.xml where is the remoting-config.xml file? Is this server side, or client side? Thanks, Geoff --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, João Fernandes joaopedromartinsfernandes@ wrote: by default you can only invoke remote functions, not public ones. To allow public functions to be called from a flex front-end you need to change de configuration of the ColdFusion destination. Check the remoting-config.xml if you have the method-access- level property set to remote. To allow both public and remote this value is set to 'public and remote'. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org
[flexcoders] Re: Flex2Gateway Security Question
I am using CFMX7... no remoting-config.xml file present. Just services-config.xml --- In flexcoders@yahoogroups.com, João Fernandes [EMAIL PROTECTED] wrote: that property that defines remote / remote public is for CF Server only. It will say if public methods can be invoked remotly through the flex2gateway or not. Even if you compile with a local version of your remoting- config.xml which has public methods enabled, if the remote server only allows remote, you won't be able to invoke those public functions. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org
[flexcoders] Flex2Gateway Security Question
OK, I have come across something that I find VERY disturbing. It appears that the Flex2Gateway can invoke any access=remote or access=public CFFunction. I have developed a very large OO application for use with a Flex front end. My gateway components are all declared with remote access functions but their roles are properly set to NOT allow unauthorized access. The model objects all have their methods declared public with no roles defined... because, well, i assumed they couldn't be invoked directly from the web. Does anyone know if it is possible to change the scope of what the Flex2Gateway will allow access to? Perhaps I am off base here... maybe there is some higher level security which I am missing. Thanks, Geoff
[flexcoders] Re: Flex2Gateway Security Question
Thanks for the answer. I only have the services-config.xml where is the remoting-config.xml file? Is this server side, or client side? Thanks, Geoff --- In flexcoders@yahoogroups.com, João Fernandes [EMAIL PROTECTED] wrote: by default you can only invoke remote functions, not public ones. To allow public functions to be called from a flex front-end you need to change de configuration of the ColdFusion destination. Check the remoting-config.xml if you have the method-access-level property set to remote. To allow both public and remote this value is set to 'public and remote'. -- João Fernandes http://www.onflexwithcf.org http://www.riapt.org
[flexcoders] Slider with mutlitple highlighted areas
I am trying to make an HSlider with 6 thumbs. I would like highlights between 1-2, 3-4, and 5-6 with no highlight between 2-3 and 4-5. Is this possible with styles or do I need to start building my own custom component? Thanks, Geoff
[flexcoders] Re: PopUpManager Memory Leak 10 children???
The question I have is why doesn't the garbage collector reclaim _any_ of the memory? It is probably more of a bug with the flash runtime as opposed to flex. I am not going to file a bug report as this is something that will most likely never happen in a real world situation. Thanks, geoff
[flexcoders] Re: Inline MXML event handlers - weak reference?
Thanks for the info. I too think this should end up somewhere in the docs... it is very useful. Thanks, Geoff
[flexcoders] Re: A big newbie flex question.
The absolute best thing you can do right now is read this article. http://www.adobe.com/devnet/flex/articles/cairngorm_pt1.html The Cairngorm framework is a great option for flex projects big and small, This 6 part series will help you understand how it all ties together. I had never used Flex before I read this series of articles, and in 2 days and I was off and running with total confidence. -Geoff --- In flexcoders@yahoogroups.com, Erik Price [EMAIL PROTECTED] wrote: On 4/25/07, Ian Skinner [EMAIL PROTECTED] wrote: So, one has managed to wade through all that exposition, what is a good way to do this? Where do I put the data access logic. I presume in my You might want to read up on MVC: http://en.wikipedia.org/wiki/Model_view_controller root application file. But, if I do that, how do I access it from my various view pieces? How do I connect all the dots? Your view pieces (components) shouldn't call your data access logic. Instead, they should fire (possibly custom) events when the user does something. In your Main.mxml, or better yet in a controller layer of ActionScript classes (see MVC, above), you will write code to listen for these events and call the data access logic code, which itself probably belongs in yet another separate layer of ActionScript classes. This process of factoring out your application into layers is called architecture, and there's an infinite number of ways to do it. When people recognize a general pattern for doing this, they usually will construct a framework to facilitate re-use and avoid repetition. The Cairngorm framework is an example of this. e
[flexcoders] PopUpManager Memory Leak 10 children???
I am not sure how Adobe goes about logging bug reports, but I have tracked down a serious memory leak in the PopUpManager class. I have worked up a little two file application which will demonstrate the problem. The first file contains a Timer object which fires every 50 milliseconds. Each time it fires it executes the createPopUp() and removePopUp() methods of the PopUpManager. The values of System.totalMemory are neatly displayed at the bottom so you can see when the leak occurs and when it doesn't. The createPopUp() method uses the LeakTest.mxml class which is simply a TitleWindow with 10 ComboBox elements inside. When you run the test you will see that the memory just keeps going up and up and up and up until finally the browser will crash. Here is the VERY interesting thing... If you comment out a single ComboBox from the LeakTest.mxml file you will see tha the memory leak no longer occurs. To restate, with 9 combobox objects the memory leak does NOT occur... but with 10 it does??? WTF??? Apparently 10 is just one too many? Does anyone have any idea what is up with this, or how to go about notifying adobe about the issue? Thanks, Geofff *** * FILE: MemoryLeakTest.mxml *** *** ?xml version=1.0? mx:Application xmlns:mx=http://www.adobe.com/2006/mxml http://www.adobe.com/2006/mxml xmlns:local=* creationComplete=createComplete() mx:Script ![CDATA[ import mx.formatters.NumberFormatter; import mx.core.IFlexDisplayObject; import mx.managers.PopUpManager; [Bindable] public var initialMemory:Number = System.totalMemory; [Bindable] public var currentMemory:Number = System.totalMemory; [Bindable] public var maxMemory:Number = System.totalMemory; [Bindable] public var windowsOpened:Number = 0; public var timer:Timer = new Timer(50); [Bindable] public var format:NumberFormatter = new NumberFormatter(); public function createComplete():void{ timer.addEventListener(timer,startTest); format.precision = 0; } public function startTest(event:TimerEvent):void{ windowsOpened++; currentMemory = System.totalMemory; if(currentMemory maxMemory){maxMemory = currentMemory;} var window:IFlexDisplayObject = PopUpManager.createPopUp(this,LeakTest,false); PopUpManager.removePopUp(window); } ]] /mx:Script mx:VBox mx:Button label=Start Test click=timer.start();/ mx:Button label=Stop Test click=timer.stop();/ mx:Label text=Current Memory Usage: {this.currentMemory/1024}/ mx:Label text=Maximum Memory Usage: {this.maxMemory/1024}/ mx:Label text=Departure from Initial Consumption: {this.format.format((this.initialMemory/(this.currentMemory-this.initial\ Memory))*100)}%/ mx:Label text=Windows Opened: {this.windowsOpened}/ /mx:VBox /mx:Application *** * FILE: LeakTest.mxml * *** ?xml version=1.0 encoding=utf-8? mx:TitleWindow xmlns:mx=http://www.adobe.com/2006/mxml; http://www.adobe.com/2006/mxml width=400 height=300 mx:VBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox mx:ComboBox mx:Array mx:Object label=1 data=1/ mx:Object label=1 data=1/ mx:Object label=1 data=1/ /mx:Array /mx:ComboBox /mx:VBox /mx:TitleWindow
[flexcoders] Inline MXML event handlers - weak reference?
Does anyone know if the event handlers you inject into MXML components are weak references? There is no way to remove the event handler, so I don't see how they couldn't be... but I am struggling with lots of memory leak issues right now and this could be the source. Thanks, Geoff