I mean ofc i can add peerID inside message itself, but it can be substituted right? How can I be sure that it wasn't substituted by remote user?
you can't, automatically at least. the only way to do that would be with digital signatures and some kind of public key infrastructure. you can certainly build that in ActionScript if you really want to. i would classify that effort as "advanced" and "hard".
you can restrict who can post by setting a posting password. then only peers who have the groupspecWithAuthorizations will be able to post. note, however, that this password check is implemented inside the Flash runtime only at the poster; someone with a hacked Flash Player and your groupspecWithoutAuthorizations could bypass the authorization check and post, and the posting would be propagated by the other peers.