15 Replies Latest reply on Jul 27, 2010 5:17 PM by trubel

    web services basic authentication difficult

      I would like to know if anybody else if having difficulty accessing web services protected by web server basic authentication? It seems like this should be as easy as adding a username and password parameter to the <mx:webservice> tag. Any chance this could be implemented by the time flex builder 2.0 is released? I think this would make web services more useful and secure (at least secure at a basic level).

      I know it can be hacked some way with config files, but this is not as easy as just asking for parameters (that you can put variables into)

        • 1. Re: web services basic authentication difficult
          RagleGumm Level 1
          Also, this should all work over SSL as well.
          • 2. Re: web services basic authentication difficult
            I have not been able to get past basic authentication as well. If I use setCredentials on the webService object I get an "Authentication not supported on DirectHTTPChannel" error. And remoteCredentials gives the classic HTTP error. I wasn't sure if doing a preauthentication to the service Url using another HTTP connection would function.

            Another addition to the overall enhancement would be some sort of impersonation structure within Flash that would avoid prompting for credentials the asset already has a token for [specifically Win32 in an AD environment, but maybe PAM in Linux?].

            A functioning model for basic would definately be the high priority item though. Especially prior to production.
            • 3. Re: web services basic authentication difficult
              I also would like know how everyone is handling this. Handling webservices properly is becoming absolutely necessary.

              • 4. Re: web services basic authentication difficult
                JRackliffe Level 1
                Is there someone from Adobe that could comment on best practices for basic authentication in Flex2? Maybe it seems overly obvious that this should have some documentation specifically outlining how to make this happen in the production release, but I can't seem to scrape it together. Even if it was a look at page 32 kind of duh response.

                I completely agree with the originator that authentication tags should be built into the core WebService class to ease this. Even if it starts with Basic that would be enough to get me off the ground.

                • 6. Re: web services basic authentication difficult
                  RagleGumm Level 1
                  Thanks you Adobe for acknowledging this thread!

                  I believe most developers (including at Adobe) would agree that this is a sub-standard solution and the basic auth credentials should be passed via the web services tag. This way, there can be interaction with the application, such as passing in the user's username and password, etc.

                  That's my 2 cents; I'll allow others to sound off.

                  • 7. Re: web services basic authentication difficult
                    JRackliffe Level 1
                    I have to agree with Ragle that the implementation seems overly challenging for what seems like such a basic need, not to mention I haven't been able to make it work. Also, maybe I am just missing the boat with the documented solutions [new to Flex I will admit], but they seem to showcase server side and proxy solutions. Since many of our initial use cases for Flex integration are SWF clients connecting to 3rd party secured web services these don't seem to be the right path. I would like to make the client code as portable as possible and since 2.0 doesn't require presentation server I figured I could integrate that all into a single SWF solution.

                    Feeling sort of dense in that every other framework/IDE I have used to connect to web services [.NET,Axis,WebSphere] seem to be able to iterate a provided WSDL in the IDE [maybe v2.1 of Builder?], but also had very simple methods for integrating standard security models into the application layer so I guess I wonder what I am missing in Flex 2?

                    • 8. Re: web services basic authentication difficult
                      JRackliffe Level 1
                      Another item may help me at least bet past init of the SWF would be loading a static copy of the WSDL into the project and being able to base the WebService off of that?

                      Thus far I have only seen where the WSDL is referenced from the web service, which is best case, but security is getting in the way of that. Can you reference the WSDL def from a file source within the project?

                      • 9. Re: web services basic authentication difficult
                        RagleGumm Level 1
                        One question I do have regarding imbedding the username and password / wsdl file into the swf... can the swf be reverse engineered using an actionscript viewer, thus exposing the username and password. Perhaps this is why they have not incorporated it up to this point? This feature is completely necessary, but I would like it secure too. Can anybody at Adobe comment?
                        • 10. Re: web services basic authentication difficult
                          JRackliffe Level 1
                          I would assume that if the username/password were statically stored in the mxml file someone who wanted to take a swing at decompiling could tear them out. I don't know if AS3/Flash is interpretted like Java//IL, but both of those would have the same attack vector.

                          Since Basic is a plain text transport I wouldn't use it anyways in an untrusted zone since a snooper could just yank it from the ether and that would be the case if the user is prompted or it was compiled. You would need a far better authentication/authorization model based around kerberos, digest or roll your own encryption standards for it to be a "secure" form.

                          If someone was able to grab my WSDL from the SWF I wouldn't be too concerned as they may see the method definitions, but the method and site security would still keep the door closed.

                          • 11. Re: web services basic authentication difficult
                            RagleGumm Level 1
                            I have used SSL with the web services tag successfully, so that would probably help with the sniffing attack. I'm not wild about the whole decompiling thing in general, I wish they would come up with a way to encrypt / hash/ scramble the swf so it cannot be reverse engineered. Saying that... Flex is still pretty damn awesome and I don't think I'll give it up soon. I just don't want to see Adobe go the same way as Microsoft did with XP, letting security lack whilst adding features.

                            Cookies do work with web services in Flex (as long as it's run in a browser), so that is another option to verify identity (and probably the path I'll end up taking).
                            • 12. Re: web services basic authentication difficult
                              JRackliffe Level 1
                              SSL will definately keep folks out of your business.

                              Yeah to do some sort of hash I would guess there would have to be some key management system so you could encrypt the actual SWF while some sort of delegation service would get a private key at runtime based on some authorization model. Any sort of interpreted language and even compiled ones usually end up as "analog" at some point so making it harder to exploit is always a step in the right direction.

                              I agree that the unified and rich framework that Flex provides is hard to give up. I just hope that our constant nagging will help Adobe to see some low hanging fruit that they could grab and maybe make client authentication a far easier thing to do. ;-)

                              • 13. Re: web services basic authentication difficult
                                JRackliffe Level 1
                                Well it looks like this thread is in it's death throws.

                                Can anybody from Adobe give some clarification to the livedocs on basic authentication?

                                I would like a standalone Flex 2.0 SWF to be able to use a set of 3rd party webservices protected by basic authentication. Is it possible? If yes, could someone put a simple step-by-step example up? I just can't see anyway to do this from the livedocs entry.

                                It just doesn't see like it should be this hard.

                                • 14. Re: web services basic authentication difficult
                                  I can't believe how difficult this is.

                                  I have tried everything that I have found on the internet and nothing works...
                                  I just need a flex app to access a web service over SSL and pass in the uid and pwd.
                                  Does anyone have a solution for this. The link that Adobe posted here was useless.
                                  • 15. Re: web services basic authentication difficult
                                    trubel Level 1

                                    This does not address the issue of basic authentication when calling a web service.


                                    If the site is not contoled by me, but I have access to the web service and I want to make use of the service. HOw do I pass my credentials?  This should be in the WebService tag in FLEX.