macromedia flash flash remoting: Hi,

How can I limit flash gatewa to access only the classes that I specify and deny the requests for other classes or pages.

I'm assuming you are connecting to assemblies. With the .net remoting service
any public method by default that is using the flash remoting classes will be
available via remoting. The only way to limit that is to make you method
private or build a gatekeeper.

Building a gatekeeper is a good idea. The way it would work is the gatekeeper
would have a definition of what method calls are allowed and all requests from
the flash client would be intercepted by the gatekeeper to make sure the call
is allowed. You can even go further and develop some authentication process
where a session id is passed in the header of every remtoing call and
accordingly limit calls. To build a gatekeeper you would build an HTTPModule
and would use the MM remoting classes to inspect incoming AMF (remoting) calls.

HTH

Chafic
----
http://www.blinex.com
blog: http://www.rewindlife.com

of course I've thought about building my own HttpModule to limit access to the
classes that I want, but I don't know how to build a gateway controller like
the one in the FlashGateway.dll, none of the methods in the GatewayController
class are virtual to extend. please help me how to do that.

P.S.: can I edit the IL code in the FlashGatway.dll? (I mean does Macromedia
allow this?)

What you would need is to build your own HttpModule that monitors all traffic
coming through. It would co-exist with Macromedia's remoting connector and not
be a sub-class of Macromedia's components. It seems you are pretty
knowledgably in C# so I won?t bore you will the details on how to implement
your own HttpModule (MSDN docs do a better job than I could anyways). One of
the benefits of the .Net remoting components Macromedia provides is it allows
you to inspect AMF data. Macromedia has not documented a lot of these methods
because their original intent was not to inspect AMF data manually but to do it
all automatically for the user. So by building our own HttpModule and making
use of Macromedia's remoting classes, we could inspect that data easily.

In your HttpModule?s BeginRequest event handler (the event of HttpApplication
instance passed to the Init() method), you would take the input stream of the
HttpApplication and create an instance of the FlashGateway.Action.ActionMessage
datatype

<example>
ActionMessage requestMessage = new ActionMessage();
long length = app.Context.Request.InputStream.Length;
BufferedStream bufferedStream = new
BufferedStream(app.Context.Request.InputStream, (int)length);
MessageDeserializer deserializer = new MessageDeserializer(bufferedStream);
requestMessage = deserializer.readMessage();
</example>

Then it is up to you how you verify that the call is to be accepted or
rejected. A simple example would take the ActionMessage and check for a
certain unique identifier returned by the GetHeader() method. If the unique
identifier is valid then it would allow the call to occur by setting the
HttpApplication.Context.Request.InputStream.Position = 0. I would recommend
you look through the different classes available and what their capabilities
are. Most of them are self explanatory.

HTH

Thanks

Chafic
----
http://www.blinex.com
blog: http:/www.rewindlife.com
Team Macromedia Volunteer: http://www.macromedia.com/go/teammacromedia

I solved the problem with disallembling the FlashGateway.DLL, and inserting a
function call to my own function in InvokeService method which checks an
attribute on a class to see it's accessibility, if the attribute does not
exists, it throws an exception and does not allow function calls.

Thanks.

I solved the problem with disassembling the FlashGateway.DLL, and inserting a
function call to my own function in InvokeService method which checks an
attribute on a class to see it's accessibility, if the attribute does not
exists, it throws an exception and does not allow function calls.

Thanks.