the groupspecWithAuthorizations includes the passwords. therefore, the groupspecWithAuthorizations must be treated as a secret password. it must only be given to clients that are allowed to publish/post in your group.
one way to do this is to generate the groupspec strings in a central place (either on an authorized client, or on FMS), and only give out the pre-computed groupspec strings to other clients. since all of the information (including passwords) is needed to generate the groupspec using the GroupSpecifier class, you don't want to generate the groupspecs using GroupSpecifier on each client, since that would involve transmitting the passwords to every client, whether each was authorized for publish/post or not.
Thank you very much Michael.I generate the groupspecWithAuthorizations in FMS.like this
var spec=new GroupSpecifier("my-group");
spec.postingEnabled = true;
spec.serverChannelEnabled = true;
var specResponder:Responder=new Responder(setGroup);
However, hackers can still get to groupspecWithAuthorizations, then he can be destroyed