Secure Authentication with Flash Communication Server: Using Tickets and Flash Remoting MX to Transmit Secure Information
- Getting Started
- Exercise 1: The Database, "myFlashComDb.mdb"
- Exercise 2: The ColdFusion Component, "FCS_Security.cfc"
- Exercise 3: The Flash Movie, "FCS_Secure.fla"
- Exercise 4: The Server-Side ActionScript, "main.asc"
- Testing the Application, Some Considerations
There has been a lot of discussion about Security and Macromedia Flash Communication Server MX. The most common topic being addressed in the discussion boards and the newsgroups is that the RTMP Protocol cannot operate using a secure encryption key, which is commonly used in the web's HTTPS protocol. Real Time Message Protocol (RTMP) is Flash Communication Server's proprietary method for persistent communication between the server and Flash Player 6. It was developed by Macromedia specifically for the Flash Communication Server, to transport multi-way audio and video streams as well as data and broadcast messaging using the Action Message Format (AMF).
This discussion has led many people to believe that a Flash Communication Server Application cannot protect the transmission of secure data, such as passwords and credit card information. It is true that RTMP is not a secure transport, but the Flash player and the Flash Communication Server can communicate independently over a secure HTTPS protocol using Flash Remoting MX.
Flash Remoting MX was introduced in the Spring of 2002, with the release of Macromedia ColdFusion MX and Macromedia JRUN 4. It enables Flash applications to communicate easily and securely with Application servers that are connected to Databases. Flash Remoting MX uses the HTTP protocol or the secure HTTPS protocol to transmit AMF packets that contain ActionScript objects, such as arrays, recordset, or any other valid ActionScript data values such as Boolean, string, or numeric. To use Flash Remoting MX, you must be running a Macromedia MX Application Server such as ColdFusion or JRUN 4, or have Flash Remoting MX installed for J2EE or Microsoft .NET.
This article will give you a hands-on introduction to constructing a basic authentication schema for Flash Communication Server Applications. Figure 1 is an overview of the process this technique will follow. Below the diagram is a list of the six steps.
Figure 1 The communication flow from Player to Flash Communication Server to ColdFusion.
The Flash Player sends a login and password challenge over a secure HTTPS connection to a web service method on a ColdFusion MX Application Server connected to a database or LDAP Server. This action is performed using Flash Remoting MX.
The ColdFusion MX Server receives the call and processes the login and password. If successful, ColdFusion returns a unique HASH "Ticket" to the Caller (the Flash Player). The Ticket and an expiry date are also stored in a table within the database.
When the Ticket is received by the Flash Player, a NetConnection request is sent to the Flash Communication Server. The Ticket received from ColdFusion is sent along with the request.
The Flash Communication Server calls a remote method on the ColdFusion server using a secure HTTPS connection. It sends the Ticket received from the Flash Player to the server for validation.
The ColdFusion Server validates the ticket, and returns a true or false response with (if available) the user's full name.
The Flash Communication Server accepts the connection based on the response from ColdFusion and registers the user's name in the UI Component Framework.
At this point the connection has been successfully made to the Flash Communication Server. At no point during this process was there any insecure transmission of sensitive information.
Let's now take a detailed walkthrough of the processes involved.
For this exercise, you will need the following components installed and operational. This article will assume that all these components are installed and running on the SAME workstation.
Flash Communication Server MX (any edition)
Flash MX Authoring Environment (with the Communication and Remoting Components installed)
Macromedia Dreamweaver MX or ColdFusion Studio
ColdFusion MX (Any Edition)
Webserver (IIS or ColdFusion Stand-Alone)
Like most Flash Communication Server applications, there are a number of components that you will need to build separately. The completed source code can be downloaded from the Macromedia Flash Communication Server MX book's web site: http://flashcom.PangaeaNewMedia.ca/. You can also see a working version of the example application on that web site. I've tried to keep it as simple as possible, but there are four parts to his application.
"myFlashComDb.mdb": The Microsoft Access Database that contains user information
"FCS_Security.cfc": ColdFusion Component that contains the remote service methods.
"FCS_Secure.fla": Flash MX source File that is used within Flash MX
"main.asc": the SSAS file on the Flash Communication Server
Before you begin, create a folder within the [%webRoot%]/flashcom/applications folder called "informIT". All files for this project will be stored within that folder. Make sure your Flash Communication Server recognizes this folder as a Flash Communication Server Application folder. Also make sure that your default web server has access to this folder. When you are ready to move your files to a live (public) server, make sure the FlashCom/Applications folder is not accessible through your web server.