we haven't released the details necessary to construct groupspec strings on your own.
an easy solution to your problem would be to have the server generate a pseudorandom (or whatever your application requires -- unguessable token), send that to the client, and have the client use that in the GroupSpecifier constructor as part of the group name. that is:
const var GROUP_PREFIX:String = "com.example.myapp/";
var gs:GroupSpecifier = new GroupSpecifier(GROUP_PREFIX + serverToken):
... set other properties of gs to enable the capabilities of the group
var groupspec:String = gs.groupspecWithAuthorizations();
unless you want some clients to have the groupspecWithAuthorizations and some clients to have the groupspecWithoutAuthorizations. at this time. you'd have to generate them from a Flash Player and send send them to a server to be handed out as appropriate.
note that it's cryptographically infeasible (if you choose good salts and avoid dictionary passwords) to derive the groupspecWithAuthorizations from the groupspecWithoutAuthorizations (the salt+password is hashed with SHA256 and encoded into the groupspec; the "authorization" is the plain password encoded into groupspec format).
depending on your application, it may be sufficient to have a special Flash Player application to generate the groupspecWithAuthorizations and groupspecWithoutAuthorizations ahead of time and store them on a server, and then use server logic to give them out to instances of your real application that need one or the other. groupspecs themselves are strings specifically so that they'd be easy to transport around.
I think I'll go with the last solution of prebuilding them by a user that has admin power. It seems like the most secure for what I'm trying to do. I do want to store both strings WithAuthorization and Without so as to make the publishing user enter a password himself.
After thinking about it, it doesn't really seem to matter if the user forges that value, he won't get anywhere more than he could achieve by forging responses or HTML FlashVars. The only inconvenience I could see, is that he'd try to save his netgroup value as it's being saved with values from someone else's public netgroup, thus sending users in someone elses netgroup unexpectingly. So I guess I do need to create some random channels ahead of time and assign them to users at the server-side level. Yep yep.. thanks again.
if you want to have the user enter a password to publish (or post), you could just save/hand out the groupspecWithoutAuthorizations and use GroupSpecifier.encodePostingAuthorization() (or GroupSpecifier.encodePublishAuthorization()) with the password to generate the authorization, and simply append that to the groupspecWithoutAuthorizations. for example, if you had a GroupSpecifier set to require a publish password (but not a posting password for this example), then
gs.groupspecWithAuthorizations() == gs.groupspecWithoutAuthorizations() + gs.encodePublishAuthorization(publishPassword)
er, those two methods are static, so (i *think*) in AS you'd have to say GroupSpecifier.encodePublishAuthorization(publishPassword), not gs.encodePublishAuthorization(publishPassword). but you get the idea.