I've been tinkering with the services-config.xml file in the
wwwroot/WEB-INF/flex/ directory, specifically the method-access-level
switch. The thing is, it doesn't seem to do anything (yes, I did restart
the CF server). Whether it is set to public or remote, any Flex app can
access both public and remote functions (while older Flash apps can access
only remote functions). This is true even if the Flex app is loaded from
the local hard drive.
What I'm trying to do is to prevent Flex apps from accessing public
functions. It doesn't make sense to me that you can't create server-side
only CFCs. ie. utility components meant only for other CFCs to use. These
utility CFCs need to have their functions marked public, but as soon as you
do that, any Flex app can then access them remotely? Am I missing
something?
On 12/14/06, phillips1021 [EMAIL PROTECTED] wrote:
Kevin Schmidt posted this in response to a blog entry on Ray Camden's
blog:
you only need to set access=remote if you are using flex with web
services. If you are usimg AMF (Flash Remoting) you don't need to set
access=remote.
See:
http://ray.camdenfamily.com/index.cfm/2006/11/24/Next-build-of-my-Flex-2ColdFusion-Security-Homework#more
and check the comments
It makes sense since both the Flex app and the CFC are on the same
host, just like the CFM file and the CFC are on the same host.
