6 Replies Latest reply on Dec 16, 2009 4:18 AM by socialvisionklk

    Flex Application Interaction with Loaded Flash SWFs

    socialvisionklk

      Hi all,

       

      First, the background:

       

      I am creating a Flex application with a component that displays various dynamically loaded SWFs, one at a time (kind of like a kiosk). These loaded SWFs are created in Flash IDE, not Flex. They will not be created by us (we will provide a .fla template but that's it), so I am loading them into a separate SecurityDomain.

       

      My Questions:

      1. I want the application to be able to call methods inside the loaded SWF. To do this, would I just call Security.allowDomain("domain of flex application") in the startup process for the loaded SWF?

      2. I want the loaded SWF to be able to throw events that are caught by the application. Can I accomplish this through the SWFLoader.swfBridge (http://www.adobe.com/livedocs/flex/3/langref/mx/controls/SWFLoader.html#swfBridge) property?

      3. I am defining an interface for the methods inside the loaded SWF. But, I don't want to leave the implementation up to the customer. Instead, I want to provide another SWF that contains the interface implementation and have it be a constraint that the customer includes it in their SWF. I am not very familiar with the Flash authoring environment, how would it work so that the interface implementation SWF exposes its methods in such a way to be accessible to Flex? Is there a way to sign the SWF so that the Flex application knows that it is dealing with the original, not a spoof? How would the Flex code pass in arguments, since it is across SecurityDomain boundary -- is there marshalling involved (say if I want to pass in a Dictionary or some kind of object graph)?

      4. The Flex application may load hundreds of these smaller other SWFs during its lifetime. How do I make sure it doesn't keep using up more memory? I plan on using SWFLoader.unloadAndStop() and clearing all references in the Flex object that refers to it. Is this enough? Will the AppDomain for the loaded SWF be torn down automatically so that the class definitions are no longer in memory?

       

      Thanks,

      Karthik

        • 1. Re: Flex Application Interaction with Loaded Flash SWFs
          Flex harUI Adobe Employee

          1.  You would need to guarantee that code in each loaded SWF runs and calls allowDomain

          2.  It will be a pain to get Flash to use SWFLoader.  Just use loaderInfo.sharedEvents.  Be careful of strong types going across the boundary.  See the MarshallPlan docs and presentation on my blog for more info.

          3.  I'd create a custom Flash component that each custom drops into their SWF.   You could run a  SHA-256 hash on the bytes of the SWF.  You can pass any flash.. class without marshalling.  You have to marshall any custom classes

          4.  unloadAndStop() does not seem to break actionscript references, just media/timeline things.  You need to find a way to clean up everything.  The child SWF shouldn't be able to keep references to itself and prevent gc because it can't access the stage or parent application (unless you allowDomain it).

           

          Alex Harui

          Flex SDK Developer

          Adobe Systems Inc.

          Blog: http://blogs.adobe.com/aharui

          1 person found this helpful
          • 2. Re: Flex Application Interaction with Loaded Flash SWFs
            socialvisionklk Level 1

            Hi Alex,

             

            Thanks for your answers!  I have a few follow-ups:

             

            1.  OK, good.

             

            2.  Ah, I see.  LoaderInfo.sharedEvents seems much more like what I am looking for.  It is automatically instantiated by the framework, right?  In the loaded SWF, would I just do root.loaderInfo.dispatchEvent()?

             

            3.  Regarding how to author the custom Flash components, I am a little confused.  Would my interface-implementation SWF expose an API on frame1 of its timeline?  Does the loaded SWF include the interface SWF as a MovieClip on its timeline?  Also, how would my Flex app call these methods?  Would it just be able to call it on SWFLoader.content, or does the loaded SWF have to expose the interface implementation as some kind of property?  I am very new to this part and not sure what to search for to learn about it.

             

            3a.  Regarding the hashing, I agree that is a perfect scenario for checking to make sure the loaded SWF is what it is supposed to be.  My original question though was along the lines of, how do I make sure that the interface implementation within the loaded SWF itself is coming from my interface implementation SWF, and not something exposing a similar interface that someone has reverse engineered and dropped in?

             

            3b. If I understand marshalling correctly, then only Flash runtime base types and classes will be sent across with the same type information; for anything else I'll have to define some kind of serialization/deserialization interface myself.  Is there any kind of class mapping (e.g. for Value Objects) that could be done here, similar to how AMF lets you map classes between Flex and PHP, Java, etc.?

             

            4.  "unloadAndStop() does not seem to break actionscript references, just media/timeline things.  You need to find a way to clean up everything."  I don't quite understand what that means.  Could you explain further?

             

            I seem to have more follow-ups than original questions but that's definitely a good thing!  Your post was amazingly helpful and cleared up a lot.

             

            Cheers,

            Karthik

            • 3. Re: Flex Application Interaction with Loaded Flash SWFs
              Flex harUI Adobe Employee

              2.  You can use the loaderInfo from root or any display object that is on the stage.  loaderInfo is null otherwise.

               

              4.  unloadAndStop will stop any video or audio and timers and movieClip timelines, thus ending those references to the SWF, but if you have written ActionScript that attaches listeners to objects outside your SWF or registered with Singletons in the main app, or in any other way created references to classes, instances of those classes or methods in a SWF, the SWF will still show references and not be garbage collected.  SWFs loaded into separate SecurityDomains generally cannot attach listeners outside the SWF or access the main app unless you permit it with allowDomain so if you don't call allowDomain you should be ok

               

              3.  I've never tried to do what you want to do, so it is hard to say what the steps are.  It is also important to understand what you are trying to defend against.  What bad things will someone do by spoofing your interface?  Just thinking about it for a few minutes, I think I would have the main app listen to sharedEvents and the first payload in the event from the child should be a loaderInfo from the interface SWF.  I think you can then get to the byteArray of the SWF and run a SHA-256 hash on it.  You might embed the SWF as a byte-array in your component and use loadBytes to load it at startup.  I'm not sure if you just need to supply some files or if you need to go the distance and supply a custom component that can be dropped onto the stage.

               

              4.  You can use registerClassAlias to serialize/deserialize, but we found it just as easy to add conversion APIs to our events.  You'll see a marshal() method on some of our events that go across the boundary

               

              Alex Harui

              Flex SDK Developer

              Adobe Systems Inc.

              Blog: http://blogs.adobe.com/aharui

              1 person found this helpful
              • 4. Re: Flex Application Interaction with Loaded Flash SWFs
                socialvisionklk Level 1

                Hi Alex,

                 

                Thanks again, your answers are extremely clear and understandable.

                 

                I feel like I am really solid on questions 1 and 2.  Couple more follow-ups:

                 

                3.  Those are some good ideas.  Once the interface SWF loads, I could have the first event it throws contain its LoaderInfo object (which I access by calling this.loaderInfo on the root display object, right?).  The LoaderInfo should be fine being passed across security boundaries because it's a flash class.  Then, on the Flex side I can check the LoaderInfo.bytes (as long as the interface SWF has called allowDomain() on our flex app's domain), and run the hash on it?

                 

                "I'm not sure if you just need to supply some files or if you need to go the distance and supply a custom component that can be dropped onto the stage."

                 

                A custom component would simplify things, no?  It's included in the loaded SWF at compile time and just exposes the necessary functions to both the Flex app and the loaded SWF so they can communicate -- this way we are guaranteed a defined behavior and the people creating the loaded SWF don't have a chance to make mistakes in the implementation.  But yeah, this is something we'll have to research more into.

                 

                4.  Ah, I did not know about registerClassAlias().  So, basically we would register a class from the Flex app and a class from the loaded SWF to the same alias.  As long as they have the same fields, it would be ok?  Then we use ByteArray.writeObject and call a method in the loaded SWF, passing it the ByteArray.  On the Flash side, we call ByteArray.readObject and cast it to the object that we expect (and vice versa for events thrown from the loaded SWF to the flex app).  Do we need to do the serialization manually, or can it be done automatically (like when making a RemoteObject call).

                 

                Cheers,

                Karthik

                • 5. Re: Flex Application Interaction with Loaded Flash SWFs
                  Flex harUI Adobe Employee

                  3.  Sounds good, but it is all theory.

                   

                  I believe that there are some other ways to package code for Flash other than "Components".  I think there are some data/network libraries, but I'm not sure how they are packaged these days.

                   

                  4.  In theory, it will try to match up fields that match and ignore ones that don't match as well.  Using readObject/writeObject should work, but you may be able to call the IExternalizable APIs directly. 

                   

                  Alex Harui

                  Flex SDK Developer

                  Adobe Systems Inc.

                  Blog: http://blogs.adobe.com/aharui

                  • 6. Re: Flex Application Interaction with Loaded Flash SWFs
                    socialvisionklk Level 1

                    Alex,

                     

                    Thanks for all the help -- couldn't have asked for more!

                     

                     

                    Cheers,

                    Karthik