macromedia flash flash remoting:
Hopefully this hasn't already been hashed out somewhere. I couldn't find it
if it was. A few thoughts and one question regarding security in Flash
Remoting w/ .NET:
(Everthing below is in regards to using Flash Remoting to call class methods
in .NET Assemblies directly.)
1) It seems that a remoting Flash client has access to any class that
provides a default constructor, and is located in an ASP.NET application's
assembly cache. This would seem to be a potential security issue, no?
Imagine a nieve database connection class with a default constructor and the
method "getDbPassword()".
I've seen no mention of this though, except on the Java side. This spells
it out very clearly and represents a working solution for the Java side.
http://carbonfive.sourceforge.net/flashgatekeeper/ Am I missing something on the .NET side, or does the .NET Flash Remoting
gateway implementation have a very similar problem?
2) I did some tests though, and it seems it is NOT possible for Flash
remoting client to instantiate and call methods on any .NET framework
classes. I only did some rudimentary testing though. Does anyone know what
the real restrictions are, or are not?
3) As a potential workaround, I have determined it's possible to intercept
Flash Remoting calls on the server-side by subclassing IHttpModule with a
custom class that brokers calls and events for the GatewayController class
in flashgateway.dll. (The custom HttpModule needs to be configured in place
of the default gateway module in the web.config file as well.)
During the intercept, I can use other available classes and methods from
flashgateway.dll to parse the AMF request and allow or deny the request
based on the class name being loaded. (Specifically, using the
MessageDeserializer class.) However, applying this intercept for security
checks requires two parse operations for each Remoting call. Not exactly
efficient.
Any thoughts?
- josh
