Manualshelf

Specifications

ManualsBrandsApache ManualsGadgetsMP3-341
31323334353637383940
30
CHAPTER 3
Flex supports working with the web application security of any J2EE application server. In addition, precompiled
Flex applications can integrate with the authentication and authorization scheme of any underlying server
technology to prevent users from accessing your applications. The Flex framework also includes several built-in
security mechanisms that let you control access to web services, HTTP services, and server-based resources such
as EJBs.
Flash Player runs inside a security sandbox that prevents the client from being hijacked by malicious application
code.
Note: SWF content running in the Adobe® AIR™ follows different security rules than content running in the browser.
For details, see the "AIR Security" section in Developing AIR Applications with Adobe Flex 3.
Declarative compared to programmatic security
The two common approaches to security are declarative and programmatic. Often, declarative security is server
based. Using the servers configuration, you provide protection to a resource or set of resources. You use the
container’s authentication and authorization schemes to protect that resource from unauthorized access.
The declarative approach to security casts a wide net. Declarative security is implemented as a separate layer from
the web components that it works with. You set up a security system, such as a set of file permissions or users,
groups, and roles, and then you plug your application's authentication mechanism into that layer.
With declarative security, either a user gains access to the resource or they do not. Usually the content cannot be
customized based on roles. In an HTML-based application, the result is that users are denied access to certain
pages. However, in a Flex environment, the typical result of declarative security is that the user is denied access to
the entire application, since the application is seen as a single resource to the container.
Declarative security lets programmers who write web applications ignore the environment in which they write.
Declarative security is typically set up and maintained by the deployer and not the developer of the application.
Also, updates to the web application do not generally require a refactoring of the security model.
Programmatic security gives the developer of the application more control over access to the application and its
resources. Programmatic security can be much more detailed than declarative security. For example, a developer
using programmatic security can allow or deny a user access to a particular component inside the application.
Although programmatic security is typically configured by the developer of the application, it usually interacts
with the same systems as declarative security, so the relationship between developer and deployer of the appli-
cation must be cooperative when implementing programmatic security.