5 Replies Latest reply on Feb 1, 2010 9:10 AM by Michael Thornburgh

    GroupSpecifier on server-side

    Fredvb Level 1



      Is there a way to build the GroupSpecifier.groupspecWithAuthentication() with server-side code ?


      I'd like generate the string via some server-side code so that the user can not forge his own at any step of the process. Or, is there an approach that is suggested for this type of situation where the string is saved in a database for future referencing.


      Thanks in advance.

        • 1. Re: GroupSpecifier on server-side
          Michael Thornburgh Adobe Employee

          we haven't released the details necessary to construct groupspec strings on your own.


          an easy solution to your problem would be to have the server generate a pseudorandom (or whatever your application requires -- unguessable token), send that to the client, and have the client use that in the GroupSpecifier constructor as part of the group name.  that is:


             const var GROUP_PREFIX:String = "com.example.myapp/";

             var gs:GroupSpecifier = new GroupSpecifier(GROUP_PREFIX + serverToken):

             ... set other properties of gs to enable the capabilities of the group

             var groupspec:String = gs.groupspecWithAuthorizations();


          unless you want some clients to have the groupspecWithAuthorizations and some clients to have the groupspecWithoutAuthorizations.  at this time. you'd have to generate them from a Flash Player and send send them to a server to be handed out as appropriate.


          note that it's cryptographically infeasible (if you choose good salts and avoid dictionary passwords) to derive the groupspecWithAuthorizations from the groupspecWithoutAuthorizations (the salt+password is hashed with SHA256 and encoded into the groupspec; the "authorization" is the plain password encoded into groupspec format).


          depending on your application, it may be sufficient to have a special Flash Player application to generate the groupspecWithAuthorizations and groupspecWithoutAuthorizations ahead of time and store them on a server, and then use server logic to give them out to instances of your real application that need one or the other.  groupspecs themselves are strings specifically so that they'd be easy to transport around.



          • 2. Re: GroupSpecifier on server-side
            Fredvb Level 1

            Thank you,


            I think I'll go with the last solution of prebuilding them by a user that has admin power. It seems like the most secure for what I'm trying to do. I do want to store both strings WithAuthorization and Without so as to make the publishing user enter a password himself.

            • 3. Re: GroupSpecifier on server-side
              Fredvb Level 1

              After thinking about it, it doesn't really seem to matter if the user forges that value, he won't get anywhere more than he could achieve by forging responses or HTML FlashVars.  The only inconvenience I could see, is that he'd try to save his netgroup value as it's being saved with values from someone  else's public netgroup, thus sending users in someone elses netgroup unexpectingly. So I guess I do need to create some random channels ahead of time and assign them to users at the server-side level. Yep yep.. thanks again.

              • 4. Re: GroupSpecifier on server-side
                Michael Thornburgh Adobe Employee

                if you want to have the user enter a password to publish (or post), you could just save/hand out the groupspecWithoutAuthorizations and use GroupSpecifier.encodePostingAuthorization() (or GroupSpecifier.encodePublishAuthorization()) with the password to generate the authorization, and simply append that to the groupspecWithoutAuthorizations.  for example, if you had a GroupSpecifier set to require a publish password (but not a posting password for this example), then


                   gs.groupspecWithAuthorizations() == gs.groupspecWithoutAuthorizations() + gs.encodePublishAuthorization(publishPassword)



                • 5. Re: GroupSpecifier on server-side
                  Michael Thornburgh Adobe Employee

                  er, those two methods are static, so (i *think*) in AS you'd have to say GroupSpecifier.encodePublishAuthorization(publishPassword), not gs.encodePublishAuthorization(publishPassword).  but you get the idea.