6 Replies Latest reply on Nov 26, 2009 6:38 AM by cdsvvxv

    Getting URL from address bar

    cdsvvxv Level 1

      I would like to get the URL from the address bar but I have come across a problem which would seem to be a security flaw. I am new to Flex but it seems to me that if I have the following:

       

      • A Flex app at domain1:8080
      • A domain2:8080 that pulls in the Flex app from domain1:8080 by deeplinking to it

       

      Then the Flex app believes that it is running from domain1:8080 and it does not seem possible to get the real URL under which it is running, i.e. domain2:8080. As far as I can tell domain2:8080 can also access my server side code even though I have a crossdomain.xml file that restricts access to only be available to domain1:8080. I assume that is because the Flex app is reporting that it is running from domain1:8080 when it is not. To get the URL from the address bar I have tried the following:

       

      This prints out: null

      var temp:IBrowserManager = BrowserManager.getInstance();
      temp.init(null,null);
      var myUrl:String = temp.url;

       

      This prints out: domain1:8080/movie.swf even when runnig from domain2:8080

      var applicationURL:String = mx.core.Application.application.url

       

      Is there a way around this? It seems anyone can connect to the server as long as they deep link to the Flex app on another domain.

       

      My intended model is that the Flex app can run on any third party server as long as the domain it is running under is registered with my site. If the site running the Flex app does not have an account then the connection should be refused. However, as described above I can't reliably get the domain under which the Flex app is running and crossdomain.xml doesn't seem to work in the above scenerio.

        • 1. Re: Getting URL from address bar
          paul.williams Level 4

          If your Flex application is served from domain1:8080 then it will have access to your domain1:8080 services. The cross-domain would only be required if the Flex application was served from domain2:8080 which does not appear to be the case.

           

          I'm not clear how accessing the url from the client will help you improve security. How are you achieving this deep-linking? With an iframe?

          • 2. Re: Getting URL from address bar
            cdsvvxv Level 1

            The scenerio is that I have a domain:

             

            • domainservices:8080 that hosts the server side code;
            • I then have another domain1:8080 that contains the Flex app.

             

            domain1:8080 is allowed access to the domainservices:8080 through the crossdomain.xml file which contains the following:

             

            <allow-access-from domain="domain1" to-ports="8080"/>
            <allow-http-request-headers-from domain="domain1" headers="*"/>

             

            If I then set up another domain called domain2:8080 and in that domain have a HTML (index.html) file that contains the following (notice that the swf file is called from domain1:8080):

             

            This is in domain2:8080/index.html

            <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
                            id="main" width="100%" height="100%"
                            codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab">
                            <param name="movie" value="http://domain1:8080/movie.swf" />
                            <param name="quality" value="high" />
                            <param name="bgcolor" value="#ffffff" />
                            <param name="allowScriptAccess" value="sameDomain" />
                            <param name="FlashVars" value="clientUserIdInDomain=fred">
                            <embed src="http://domain1:8080/movie.swf" quality="high" bgcolor="#ffffff"
                                width="100%" height="100%" name="main" align="middle"
                                play="true"
                                loop="false"
                                quality="high"
                                allowScriptAccess="sameDomain"
                                type="application/x-shockwave-flash"
                                pluginspage="http://www.adobe.com/go/getflashplayer"
                                FlashVars="clientUserIdInDomain=fred">
                            </embed>

            </object>

             

            Then when I access domain2:8080/index.html the movie seems to think it is playing in domain1:8080 and not in domain2:8080. This means that someone in domain2:8080 can access data (read/write to the database in domainservices:8080) that is designed only to be seen by someone in domain1:8080 - simply by deeplinking to the movie in domain1:8080. Hopefully I am just missing something as I am very new to Flex development but I can't work out how to protect the data in domain1:8080 from prying eyes in domain2:8080. I don't have control over the security in domain1:8080 and therefore can't guarentee the implimentation of any security on the server within that domain.

             

            I hope that makes sense.

            • 3. Re: Getting URL from address bar
              paul.williams Level 4

              Crossdomain security does not work the way you are expecting. The domain of your swf file is always domain1. Embedding it in a web-page at domain2 does not change this. The link below may be helpful:

               

              http://saravananrk.wordpress.com/2008/01/13/creating-more-secure-swf-web-applications/

               

              If you want to control access to your site your should use an authentication / authorisation mechanism.

              • 4. Re: Getting URL from address bar
                cdsvvxv Level 1

                Thanks you very much for the confirmation that my tests had given me accurate information. I realise that what I am now about to ask is not a Flex question but a general design question but I thought I might run it past you if you have time, as I am unsure how to progress from here.

                 

                My server side code is using the Central Authntication Server (CAS) from Jasig to authenticate. I am using Spring Security to interface with CAS and as such there is an authentication system already in place. However, the below is that which I am trying to achieve and I am now wondering if it is possible at all in a safe and secure way:

                 

                • I have the domain domain-services.com which provides a service;
                • I would then like to give a Flex client to another web site that may already have many registered users - the site is domain-client-1.com;
                • When a user of domain-client-1.com uses the Flex client, I would like to generate an account for them on the fly at domain-services.com so that they don't have to leave domain-client-1.com and register with domain-services.com just so they can use the Flex client at domain-client-1.com.

                 

                The problem is that I don't have any secure way of getting a unique reference to domain-client-1.com if the Flex client will always return the URL at which it is hosted, even if it is deep linked from another site. I have been trying to run scenerios around in my head for a few weeks while working on other things but can't come up with a slution to achieve this. I was hoping that the Flex client could simply read the URL from the address bar and then I could pass that to the server which would know if that domain is allowd access. This would only leave the security hole that someone could decompile the Flex client and recode it but that is unlikly to be a serious problem as the data is not really that important. However, it doesn't seem to be possible to get the URL where the Flex client is running (as opossed to where it is hosted) and so I can't do that.

                 

                If you have any suggestions then they would be most welcome as otherwise my plans may need to be shelved.

                 

                Thanks for you time so far.

                • 5. Re: Getting URL from address bar
                  paul.williams Level 4

                  You should be able to use BrowserManager if you set-up your html page correctly. FlexBuilder will generate the necessary files in your html-template directory when you "enable integration with browser navigation" on the Flex Compiler page. Otherwise you should be able to use the externalinterface to read the url using javascript (that's how BrowserManager does it).

                  1 person found this helpful
                  • 6. Re: Getting URL from address bar
                    cdsvvxv Level 1

                    Many thanks Paul, that is much appreciated.