Building and Deploying Adobe Flex 3 Applications
Using secured services
Secured services are services that are protected by resource constraints. The service itself behaves as a resource
that needs authentication and the container defines its URL pattern as requiring authorization.
You might have a protected Flex application that calls a protected resource. In this case, with BASIC authentication
and a proxied destination, the user’s credentials are passed through to the service. The user only has to log on once
when they first start the Flex application, and not when the application attempts to access the service.
Without a proxy, the user is challenged to enter their credentials a second time when the application attempts to
access the service.
When you use secured services, keep the following in mind:
If possible, use HTTPS for your services when you use authentication. In BASIC and custom authentication,
user names and passwords are sent in a base-64 encoding. Using base-64 encoding hides the data only from plain
view; HTTPS actually encrypts the data. You can use HTTPS in these cases by making sure HTTPS is set up on
your server and by adding a protocol attribute with the value
https on the service, and by adding a cross-
domain.xml file.
To ensure that the WebService and HTTPService endpoints are secure, use a browser window to access the
URL you are trying to secure. This should always bring up a BASIC authentication prompt.
If the BASIC or custom login box appears but you can’t log in, make sure that the users and roles were added
correctly to your application server. This is often an error-prone task that is overlooked as the source of the
Making other connections
Flash Player can connect to servers, services, and load data from sources other than RPC services. Some of these
sources have security issues that you should consider.
Using RTMP
Flash Player uses the Real-Time Messaging Protocol (RTMP) for client-server communication. This is a TCP/IP
protocol designed for high-performance transmission of audio, video, and data messages. RTMP sends
unencrypted data, including authentication information (such as a name and a password).
Although RTMP in and of itself does not offer security features, Flash communications applications can perform
secure transactions and secure authentication through an SSL-enabled web server.


O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.