2 Replies Latest reply: Apr 29, 2010 4:27 AM by vepor RSS

    How to protect AMF gateway

    vepor Community Member

      Hi there!

       

      After several hours of trying to understand AMF, i finaly completed a working app, which runs on Google App Engine.

      There is however one thing, which i don't understand:

       

      How to protect the AMF gateway not to be missused?

       

      I have solved the problem partialy using crossdomain.xml file. Now only SWFs placed on allowed domains can access the gateway. The problem is, that i still can acces the gateway from a SWF which is running standalone on my local machine.

       

      Is there a standard solution?

       

      Thanx

       

        • 1. Re: How to protect AMF gateway
          Michael Borbor Community Member

          Create an authentication method in order to protect the access to the gateway.

          • 2. Re: How to protect AMF gateway
            vepor Community Member

            Yes, there is an authentification method:

             

            PyAMF has a method, which evaluates the credentials sent in the HTTP headers. The credentials however are exposed to the public in the SWF when the login and password are passed to the NetConnection.addHeader() method.

             

            After some testing, I found out, that the approach with the crossdomai.xml policy file actually prevents the access to the gateway, even from SWFs run locally, with one exception: The SWF, which i have compilled under the same windows account from which i have deployed the GAE app has still the access to the gateway, when run standalone. When i run the SWF on other accounts on the same computer, i get a SecurityErrorEvent as expected. The same happens, when i try it under the same account on a diferent computer on the network. The SWF on the developement account is apparently in the same security sandbox as the app running on appspot. How is this possible? Does it have something to do with the attributes of the file?