5 Replies Latest reply on Jul 20, 2006 11:00 PM by mmacrom

    webserviceconnector soap header? when triggered?

    mmacrom
      Is there a (unique/flash) soap header send when I call a webservice though the webserviceconnector?
      I have a .net webservice and want to know if the call is made from the flash (swf) file? So does
      flash send some extra data when .trigger(); the webserviceconnector? (apart from added parameters).

      Thanks.
      Rick




        • 1. Re: webserviceconnector soap header? when triggered?
          blemmo Level 1
          I don't know if there are special headers, maybe someone else can tell. Just a thought: you could add the _url variable of the Flash movie to the transmitted parameters, and check in the webservice if it's present and ends on ".swf". Or maybe just use a custom parameter, like 'isFlash', that's only set by your Flash movies.

          hth,
          blemmo
          • 2. webserviceconnector soap header? when triggered?
            mmacrom Level 1
            thanks blemmo, that is a option, but with a simple decompiler you can see which parameters are added and given to the webservice. If flash sends out forexample a soap header that's isn't set in the actionscript but can be requested by the called webservice it is more 'hackers' proof. Just have to know that the call is from flash, without setting parameters manually.
            • 3. Re: webserviceconnector soap header? when triggered?
              blemmo Level 1
              Hm, I think it's hard to secure this kind of communication. The soap-headers are plain text, so it's really no big deal to intercept them and see what's inside. This won't get you more security than variables... If you really need to secure the use of your services maybe passwords could be an option. If you have a special password for the Flash files you also have your Flash identifier.
              Maybe it could work with the _url variable if it would change for every usage. When the server can generate a custom url for every hit, the _url would reflect that and may be checked serverside if it matches the server-generated url. Sounds a bit complicated though... I never had to deal with security, so this is just off the top of my head.

              greets,
              blemmo
              • 4. Re: webserviceconnector soap header? when triggered?
                mmacrom Level 1
                thanks. I think it is never 100% secure, because a .swf can be decompiled and is running client side. I have to make a combination of checks so it will be a time consuming operation to hack. I am conna obfuscate the code, encrypt(so far it is possible) it and do some other http checks. Like session time outs etc...
                • 5. Re: webserviceconnector soap header? when triggered?
                  mmacrom Level 1
                  thanks. I think it is never 100% secure, because a .swf can be decompiled and is running client side. I have to make a combination of checks so it will be a time consuming operation to hack. I am conna obfuscate the code, encrypt(so far it is possible) it and do some other http checks. Like session time outs etc...