If your Flex application is served from domain1:8080 then it will have access to your domain1:8080 services. The cross-domain would only be required if the Flex application was served from domain2:8080 which does not appear to be the case.
I'm not clear how accessing the url from the client will help you improve security. How are you achieving this deep-linking? With an iframe?
The scenerio is that I have a domain:
- domainservices:8080 that hosts the server side code;
- I then have another domain1:8080 that contains the Flex app.
domain1:8080 is allowed access to the domainservices:8080 through the crossdomain.xml file which contains the following:
<allow-access-from domain="domain1" to-ports="8080"/>
<allow-http-request-headers-from domain="domain1" headers="*"/>
If I then set up another domain called domain2:8080 and in that domain have a HTML (index.html) file that contains the following (notice that the swf file is called from domain1:8080):
This is in domain2:8080/index.html
id="main" width="100%" height="100%"
<param name="movie" value="http://domain1:8080/movie.swf" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="FlashVars" value="clientUserIdInDomain=fred">
<embed src="http://domain1:8080/movie.swf" quality="high" bgcolor="#ffffff"
width="100%" height="100%" name="main" align="middle"
Then when I access domain2:8080/index.html the movie seems to think it is playing in domain1:8080 and not in domain2:8080. This means that someone in domain2:8080 can access data (read/write to the database in domainservices:8080) that is designed only to be seen by someone in domain1:8080 - simply by deeplinking to the movie in domain1:8080. Hopefully I am just missing something as I am very new to Flex development but I can't work out how to protect the data in domain1:8080 from prying eyes in domain2:8080. I don't have control over the security in domain1:8080 and therefore can't guarentee the implimentation of any security on the server within that domain.
I hope that makes sense.
Crossdomain security does not work the way you are expecting. The domain of your swf file is always domain1. Embedding it in a web-page at domain2 does not change this. The link below may be helpful:
If you want to control access to your site your should use an authentication / authorisation mechanism.
Thanks you very much for the confirmation that my tests had given me accurate information. I realise that what I am now about to ask is not a Flex question but a general design question but I thought I might run it past you if you have time, as I am unsure how to progress from here.
My server side code is using the Central Authntication Server (CAS) from Jasig to authenticate. I am using Spring Security to interface with CAS and as such there is an authentication system already in place. However, the below is that which I am trying to achieve and I am now wondering if it is possible at all in a safe and secure way:
- I have the domain domain-services.com which provides a service;
- I would then like to give a Flex client to another web site that may already have many registered users - the site is domain-client-1.com;
- When a user of domain-client-1.com uses the Flex client, I would like to generate an account for them on the fly at domain-services.com so that they don't have to leave domain-client-1.com and register with domain-services.com just so they can use the Flex client at domain-client-1.com.
The problem is that I don't have any secure way of getting a unique reference to domain-client-1.com if the Flex client will always return the URL at which it is hosted, even if it is deep linked from another site. I have been trying to run scenerios around in my head for a few weeks while working on other things but can't come up with a slution to achieve this. I was hoping that the Flex client could simply read the URL from the address bar and then I could pass that to the server which would know if that domain is allowd access. This would only leave the security hole that someone could decompile the Flex client and recode it but that is unlikly to be a serious problem as the data is not really that important. However, it doesn't seem to be possible to get the URL where the Flex client is running (as opossed to where it is hosted) and so I can't do that.
If you have any suggestions then they would be most welcome as otherwise my plans may need to be shelved.
Thanks for you time so far.
1 person found this helpful
Many thanks Paul, that is much appreciated.