Manualshelf

Specifications

ManualsBrandsApache ManualsGadgetsMP3-341
41424344454647484950
CHAPTER 3
44
</table>
<input type=submit>
</form>
The results are submitted to the container’s JAAS system with base-64 encoding, which means they can be read
by anyone that can view the TCP/IP traffic. Use encryption to prevent these so-called “man-in-the-middle
attacks. In both BASIC and FORM authentication, if the user accessed the resource through SSL, the username
and password submission are encrypted, as is all traffic during that exchange.
After it is complete, the container populates the browser’s security context and provides or denies access to the
resource. Flash Player inherits the security context of the underlying browser. As a result, when you make a data
service call, the established credentials are used.
When a user fails an authentication attempt with invalid credentials, be sure not to return information about
which item was incorrect. Instead, use a generic message such as “Your login information was invalid.
Using RPC services
You can use the RPC services classes—RemoteObject, HTTPService, and We b Se r vi c e—not only to control access
to the data that goes into an MXML page, but also to control the data and actions that flow out of it. You can also
use service authentication to allow only certain users to perform certain actions. For example, if you have an appli-
cation that allows employee data to be modified through a RemoteObject call, use RemoteObject authentication
to make sure that only managers can change the employee data.
A service-based architecture makes it easy to implement several different security models for your Flex appli-
cation. You can use programmatic security to limit access to services, or you can apply declarative security
constraints to entire services.
When accessing RPC services with Flex tags such as the
<mx:WebService> and <mx:HTTPService> tags, your
Flex applications SWF file must connect to the service directly, which means that it can encounter security-based
limitations.
Destinations must be configured entirely in the Flex application; the component must communicate directly with
the RPC service.
In addition, you must set the
use-proxy compiler option to false when you compile the application.
When
use-proxy is false, one of the following must be true:
The RPC is in the same domain as the Flex application that calls it.
The RPC’s host system has a crossdomain.xml file that explicitly allows access from the Flex applications
domain.