That does help Tom, just a potentially niave series of questions in
follow-up...How does using the proxy FDS service NOT secure the resource?
If a rogue .swf does not know the address to connect to, how can it
access the channel?
Additionally, with a crossdomain.xml policy file in place on the
server (only allowing our set of domains to access) there would be an
higher level of security. Even if someone does determine the complete
WSDL address they are unable to access it via .swf.
The current systems accessing the WSDL are all server-side language
meaning that the WSDL is 'safe'. Just looking to provide the
equivelent level of security from Flex/Flash.
Jamie
--- In flexcoders@yahoogroups.com, "Tom Ruggles" <[EMAIL PROTECTED]> wrote:
>
> Hi Jamie,
>
> You do have the steps right for deployment. As for securing the
> resource the options available would be to either:
>
> - add security constraints to the destination. This would require
> you to either have users log in or hardcode credentials in the app
> (which is obviously no help in case of decompiling).
> - add J2EE web app security to your web app to secure the entire
> thing or any HTTP/AMF channels that are allowed to acces the
> destination
>
> Unfortunately there is no mechanism to automatically detect friendly
> vs. rogue swfs. But needing to know the channel and destination
> name are a slight deterrant.
>
> HTH,
> Tom
>
> --- In flexcoders@yahoogroups.com, "Jamie O"
> wrote:
> >
> > Hello,
> >
> > I 'believe' what I describe below is accurate, just looking for
> > confirmation. We have a production WSDL that is called by a number
> of
> > other non-Flash/Flex apps. We would like to access it via Flex, but
> > not make the WSL url visible in code - thereby succeptible to
> > decompiled .swf access and non-company uses.
> >
> > In order to ensure this is the case, I believe we must do the
> following:
> > 1) Install Flex Data Services and create a named proxy service
> > destination with the wsdl url.
> > 2) Use destination="wsdlDestination" and useProxy="true" in
> HTTPService
> >
> >
> > Is there an inherrent control within FDS that prevents .swf from
> other
> > (malicious) sites from using our proxy? I guess conceptually
> because
> > it isn't served from there it would never know the connection to
> refer
> > back to other than the destination name which is not a fully
> qualified
> > URL. Wondering if we would also need a crossdomain.xml file to
> inhibit
> > non-company .swf from accessing?
> >
> > Thx,
> > Jamie
> >
>
--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/flexcoders/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/flexcoders/join
(Yahoo! ID required)
<*> To change settings via email:
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
