 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers |
Webmaster Forum / Flash / Flash Remoting / February 2004Flash Remoting for .NET Security
Hi, How can I limit flash gatewa to access only the classes that I specify and deny the requests for other classes or pages. Thanks in advance I'm assuming you are connecting to assemblies. With the .net remoting service any public method by default that is using the flash remoting classes will be available via remoting. The only way to limit that is to make you method private or build a gatekeeper. Building a gatekeeper is a good idea. The way it would work is the gatekeeper would have a definition of what method calls are allowed and all requests from the flash client would be intercepted by the gatekeeper to make sure the call is allowed. You can even go further and develop some authentication process where a session id is passed in the header of every remtoing call and accordingly limit calls. To build a gatekeeper you would build an HTTPModule and would use the MM remoting classes to inspect incoming AMF (remoting) calls. HTH Chafic ---- http://www.blinex.com blog: http://www.rewindlife.com of course I've thought about building my own HttpModule to limit access to the classes that I want, but I don't know how to build a gateway controller like the one in the FlashGateway.dll, none of the methods in the GatewayController class are virtual to extend. please help me how to do that. P.S.: can I edit the IL code in the FlashGatway.dll? (I mean does Macromedia allow this?) What you would need is to build your own HttpModule that monitors all traffic coming through. It would co-exist with Macromedia's remoting connector and not be a sub-class of Macromedia's components. It seems you are pretty knowledgably in C# so I won?t bore you will the details on how to implement your own HttpModule (MSDN docs do a better job than I could anyways). One of the benefits of the .Net remoting components Macromedia provides is it allows you to inspect AMF data. Macromedia has not documented a lot of these methods because their original intent was not to inspect AMF data manually but to do it all automatically for the user. So by building our own HttpModule and making use of Macromedia's remoting classes, we could inspect that data easily. In your HttpModule?s BeginRequest event handler (the event of HttpApplication instance passed to the Init() method), you would take the input stream of the HttpApplication and create an instance of the FlashGateway.Action.ActionMessage datatype <example> ActionMessage requestMessage = new ActionMessage(); long length = app.Context.Request.InputStream.Length; BufferedStream bufferedStream = new BufferedStream(app.Context.Request.InputStream, (int)length); MessageDeserializer deserializer = new MessageDeserializer(bufferedStream); requestMessage = deserializer.readMessage(); </example> Then it is up to you how you verify that the call is to be accepted or rejected. A simple example would take the ActionMessage and check for a certain unique identifier returned by the GetHeader() method. If the unique identifier is valid then it would allow the call to occur by setting the HttpApplication.Context.Request.InputStream.Position = 0. I would recommend you look through the different classes available and what their capabilities are. Most of them are self explanatory. HTH Thanks Chafic ---- http://www.blinex.com blog: http:/www.rewindlife.com Team Macromedia Volunteer: http://www.macromedia.com/go/teammacromedia |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.