25 Replies Latest reply on Aug 29, 2007 8:08 AM by JoshBeall

    How to get around user/pass auth in Flex?

    dimyself
      I've got a small Flex app which displays data from a query in a datagrid. The problem I found is that when I run my app outside of Eclipse, it hangs when it accesses my php page because it's behind a password protected url. Any ideas on what I can do in this situation?

      I thought about either passing the credentials on the url (which doesn't seem like a very good idea). Is there a way I can have my Flex app prompt the user for credentials? Here's my flex app:

      <?xml version="1.0" encoding="utf-8"?>
      <mx:Application xmlns:mx=" http://www.adobe.com/2006/mxml" xmlns="*" layout="absolute" creationComplete="returnData.send()">
      <mx:HTTPService id="returnData" url=" http://dev/maintenance/hacks/flexrs.php"/>
      <mx:DataGrid id="emaillist" dataProvider="{returnData.lastResult.RESULTSET.REQUEST}" left="41" right="41" bottom="41" top="41">

      </mx:DataGrid>

      </mx:Application>
        • 1. Re: How to get around user/pass auth in Flex?
          ssmithstone
          i think if you have restricted url then you can do http://username:password@url if that works then you maybe can try putting that in your url
          • 2. Re: How to get around user/pass auth in Flex?
            dimyself Level 1
            I tried that and it didn't seem to work. Also, I don't necessarily want everyone that hits my url to use the same credentials.

            Is there anyway to get my Flex app to display a login box whenever it hits the url to pass the credentials?
            • 3. How to get around user/pass auth in Flex?
              ssmithstone Level 1
              theres a header parameter on the httpservice maybe you can add the values into that object
              • 4. Re: How to get around user/pass auth in Flex?
                dimyself Level 1
                Add what values?
                • 5. Re: How to get around user/pass auth in Flex?
                  levancho Level 3
                  with http simple authentiation, server returns a http code I think its 100 or something similiar , asking client for username and pasword, so you can *theoritical* read the httpcode on resulthandler and if that code is 100(or whatever the code server returs) indicating that server needs client to resend request with username and password then you pop a flex window for user asking for username/password and then when user enters credentials resend httpservice with credentials as parameters.
                  • 6. Re: How to get around user/pass auth in Flex?
                    dimyself Level 1
                    Any idea how I can go about doing this? I'm new to Flex... What are the HTTPService parameters I would need to use to accomplish this?
                    • 7. How to get around user/pass auth in Flex?
                      levancho Level 3
                      for apache I think parameter Names are : username and password.
                      so you do mxml way :


                      <mx:HTTPService id="loginService"
                      url="/loginserivce.srvc"
                      showBusyCursor="true"
                      method="POST"
                      result="loginServiceResultHandler(event)"
                      fault="loginServiceFaultResultHandler(event)">
                      <mx:request>
                      <username>{yourusername}</username>
                      <password>{MD5.encode(yourpassword)}</password>
                      </mx:request>
                      </mx:HTTPService>

                      or more (*bending two fingeres on both hands*) , cooler *cough* AS3 way : loginService.send({username:yourusername,
                      password:MD5.encode(yourpassword)});


                      P.S MD5.encode is optional and phseudo , not sure what is exactly api method for encoding, its in flex library somewhere:
                      http://code.google.com/p/as3corelib/
                      • 8. Re: How to get around user/pass auth in Flex?
                        JoshBeall Level 1
                        Ostensibly you can add custom HTTP headers to a request like this:

                        var s:HTTPService = new HTTPService();
                        s.url=" http://myendpoint/service";
                        s.headers = "Authorization: somebase64authvalue";
                        s.send();

                        LiveDoc reference

                        Blog post about this method (scroll down to the end of his post)

                        I say "ostensibly" because I have yet to have success with this method. Please post back and let us know if this method works out for you.

                        Note: if you are able to successfully add the headers, the value for the "Authorization: " header should be the string "username:password", base64 encoded.

                        Also, as far as I know, there is no way to intercept basic authentication challenges sent by a remote server. You just have to know whether or not the server is going to require authentication, and send it along with your request. If you ever fail to send along the authorization header, the remote server will send back a challenge (401 not authorized), and the user will get a browser popup asking for username/password. As far as I know there is no way to prevent this (short of knowing ahead of time what systems will require credentials, and supplying them on the very first request).

                        Hope that helps.

                        -Josh
                        • 9. How to get around user/pass auth in Flex?
                          levancho Level 3
                          the remote server will send back a challenge (401 not authorized),
                          --------
                          thats what I was hoping to, should not flex httpservice receive 401 and capture it ? and furthermore should not some event fire in that case?
                          • 10. Re: How to get around user/pass auth in Flex?
                            JoshBeall Level 1
                            quote:

                            Originally posted by: levancho
                            with http simple authentiation, server returns a http code I think its 100 or something similiar , asking client for username and pasword, so you can *theoritical* read the httpcode on resulthandler and if that code is 100(or whatever the code server returs) indicating that server needs client to resend request with username and password then you pop a flex window for user asking for username/password and then when user enters credentials resend httpservice with credentials as parameters.


                            I don't think this is correct, but if you can show an example I'd be delighted to be wrong.

                            The response that the web server sends back is 401 (which is "not authorized"). I do not believe that Flex ever gets a chance to see this message; I think that the browser will simply popup a login dialog to the user the instant it receives the 401 error code.

                            At least, that's the behavior I've seen. It would be nice if you could intercept that 401 response, but I've not had any success with that method.
                            • 11. Re: How to get around user/pass auth in Flex?
                              JoshBeall Level 1
                              quote:

                              Originally posted by: levancho
                              the remote server will send back a challenge (401 not authorized),
                              --------
                              thats what I was hoping to, should not flex httpservice receive 401 and capture it ? and furthermore should not some event fire in that case?


                              Should it? Well, I can see a case made for that :-) But I don't think it does. I believe the browser intercepts that 401 response before it gets to the Flash player, so there's no event to listen for in Flex.
                              • 12. Re: How to get around user/pass auth in Flex?
                                levancho Level 3
                                what can be done,(possibly) to have a intermediate multipurpose serve side Code that does following :

                                receives parameter of requested URL for example : myurl122.php calls that resource and captures response includind header info , then constructs xmlResponse with format :
                                <result>
                                <code>401</code>
                                ...</result>
                                or
                                <result>
                                <code>200</code>
                                <body></body>
                                ...</result>

                                etc ..
                                and returns that to flexService.
                                its a little hack but this way will work I think
                                • 13. Re: How to get around user/pass auth in Flex?
                                  dimyself Level 1
                                  Ok, so I modified my app but there are errors on my "username" and "password" lines:

                                  Severity and Description Path Resource Location Creation Time Id
                                  1120: Access of undefined property password. flex flex.mxml line 15 1188319559727 575
                                  1120: Access of undefined property username. flex flex.mxml line 14 1188319559717 574

                                  Here's my updated app. Please tell me what I'm missing here.........

                                  <?xml version="1.0" encoding="utf-8"?>
                                  <mx:Application xmlns:mx=" http://www.adobe.com/2006/mxml" xmlns="*" layout="absolute" creationComplete="returnData.send()">
                                  <!--<mx:HTTPService id="returnData" url=" http://dev/maintenance/hacks/flexrs.php"/> -->

                                  <mx:HTTPService id="returnData"
                                  url=" http://dev/maintenance/hacks/flexrs.php"
                                  showBusyCursor="true"
                                  method="POST"
                                  result="returnDataResultHandler(event)"
                                  fault="returnDataFaultResultHandler(event)">
                                  <mx:request>
                                  <!--<username>{yourusername}</username>
                                  <password>{MD5.encode(yourpassword)}</password> -->
                                  <username>{username.text}</username>
                                  <password>{password.text}</password>
                                  </mx:request>
                                  </mx:HTTPService>

                                  <mx:DataGrid id="emaillist" dataProvider="{returnData.lastResult.RESULTSET.REQUEST}" left="41" right="41" bottom="41" top="41">

                                  </mx:DataGrid>

                                  <mx:Script>
                                  <![CDATA[
                                  import flash.net.navigateToURL;
                                  import mx.controls.Alert;
                                  import mx.rpc.events.FaultEvent;
                                  import mx.rpc.events.ResultEvent;



                                  private function returnDataResultHandler(event:ResultEvent):void

                                  {
                                  <!-- photoFeed = event.result as XML; -->
                                  Alert.show(event.result.message, "page loaded");
                                  }

                                  private function returnDataFaultResultHandler(event:FaultEvent):void

                                  {
                                  Alert.show(event.fault.message, "Could not load page");
                                  }

                                  ]]>
                                  </mx:Script>

                                  </mx:Application>

                                  • 14. Re: How to get around user/pass auth in Flex?
                                    levancho Level 3
                                    password.text has to exist it has to be a id of textinpit or something same for username.text
                                    • 15. Re: How to get around user/pass auth in Flex?
                                      dimyself Level 1
                                      I don't understand what you just said. I tried your code (below) as well and it gave me the same errors:

                                      <username>{yourusername}</username>
                                      <password>{MD5.encode(yourpassword)}</password>

                                      • 16. Re: How to get around user/pass auth in Flex?
                                        JoshBeall Level 1
                                        quote:

                                        Originally posted by: dimyself
                                        <mx:HTTPService id="returnData"
                                        url=" http://dev/maintenance/hacks/flexrs.php"
                                        showBusyCursor="true"
                                        method="POST"
                                        result="returnDataResultHandler(event)"
                                        fault="returnDataFaultResultHandler(event)">
                                        <mx:request>
                                        <!--<username>{yourusername}</username>
                                        <password>{MD5.encode(yourpassword)}</password> -->
                                        <username>{username.text}</username>
                                        <password>{password.text}</password>
                                        </mx:request>
                                        </mx:HTTPService>


                                        Question: are you using basic authentication, or do you just need to pass in a username and password value as POST variables? I was under the impression you're trying to do basic authentication...?
                                        • 17. Re: How to get around user/pass auth in Flex?
                                          dimyself Level 1
                                          It's just an htpasswd protected url. What am I doing wrong here?
                                          • 18. Re: How to get around user/pass auth in Flex?
                                            JoshBeall Level 1
                                            quote:

                                            Originally posted by: dimyself
                                            It's just an htpasswd protected url. What am I doing wrong here?


                                            That means it is protected with basic authentication. If you're setting variables via the <mx:request> tags, you're setting variables passed through in the POST body. But basic HTTP authentication has to happen in the HTTP header.

                                            So you need to try using the HTTPService.header object (I haven't had any success with that), or you need to embed the username and password in the url, like http://username:password@url (haven't been able to get that working in IE), or you need to setup a server-side proxy that can take the username and password as POST variables, and then pass ther request along with the POST'd username and password as basic authentication credentials (annoying, but I have had success with that).

                                            The bottom line is I have never had good success with basic authentication in Flex. I don't believe it can reliably be done. Hopefully that will change, or I am wrong and somebody else will show how it can be done.

                                            -Josh
                                            • 19. How to get around user/pass auth in Flex?
                                              dimyself Level 1
                                              Ok, so when I pass in the user:pass with the url, it works inside Eclipse, HOWEVER when I export my project and run it from it's exported location (on my local box and the server), I get the following error:

                                              faultCode:Channel.Security.Error faultString:'Security error accessing url' faultDetail:'Destination: DefaultHTTP'

                                              What does this mean?
                                              • 20. Re: How to get around user/pass auth in Flex?
                                                dimyself Level 1
                                                Anyone know what these security errors mean?
                                                • 21. Re: How to get around user/pass auth in Flex?
                                                  JoshBeall Level 1
                                                  quote:

                                                  Originally posted by: dimyself
                                                  Ok, so when I pass in the user:pass with the url, it works inside Eclipse, HOWEVER when I export my project and run it from it's exported location (on my local box and the server), I get the following error:

                                                  faultCode:Channel.Security.Error faultString:'Security error accessing url' faultDetail:'Destination: DefaultHTTP'

                                                  What does this mean?


                                                  Sounds like the SWF is being served from a different domain than the service you're trying to call? Keep in mind that you'll need a crossdomain.xml file in place if you're calling a service that's on a different domain than your SWF is served from. For instance, let's say you're publishing our SWF and it's available here:

                                                  http://myWebsite.com/myFlexPage.html

                                                  And it's calling a web service that's available here:

                                                  http://webservices.com/myHandyService.asmx

                                                  This won't work, unless you put a crossdomain.xml file on the webservices.com site, that's available at
                                                  http://webservices.com/crossdomain.xml.

                                                  This is used to restrict what clients can call the web service. Here's one that simply allows access from all hosts:

                                                  <?xml version="1.0"?>
                                                  <!DOCTYPE cross-domain-policy SYSTEM " http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
                                                  <cross-domain-policy>
                                                  <allow-access-from domain="*" />
                                                  </cross-domain-policy>

                                                  You may want to lock this down to restrict access to specific domains -- or you may not -- it depends on the security context, and you'll have to make this decision. Perhaps, since you are using authentication, anyone with the proper credentials is permitted to access the web services, regardless of the host they are connecting from.

                                                  Let us know if that resolves your problem.

                                                  -Josh
                                                  • 22. Re: How to get around user/pass auth in Flex?
                                                    dimyself Level 1
                                                    Ok, that worked! I put the crossdomain in and now the page loads.
                                                    • 23. Re: How to get around user/pass auth in Flex?
                                                      JoshBeall Level 1
                                                      So you're having success with basic authentication of a web service? Have you tested in IE7? I couldn't get it to work in IE7, though it worked just fine in Opera 9 and FireFox 2.

                                                      I'd be encouraged to hear that it can work in IE7.
                                                      • 24. Re: How to get around user/pass auth in Flex?
                                                        dimyself Level 1
                                                        I haven't tested with ie7. It does work in ie6 though and Firstfox for me...
                                                        • 25. Re: How to get around user/pass auth in Flex?
                                                          JoshBeall Level 1
                                                          Once you get a chance to test in IE7, I'd be interested in hearing whether or not it works for you.