May 07 2003

Flash Remoting through ColdFusion Components

Published by at 3:58 under Wayback Archive

Flash Remoting through ColdFusion Components actually is working with web services. Securing these web services always is an interesting topic to talk about and people are very inventive in protecting their code in whatever way. Today I found this nice little script in my mailbox, thanks to Samuel Neff for sharing it. I find it interesting enough to share it on this blog:

Here’s the hack we came up with to secure CFC’s with access=”remote” to be only called from Flash:

<cfcomponent>

    <cffunction name="isFlashCall" returnType="boolean" access="remote" output="true">

        <cfset var fs =

            getPageContext().SymTab_findBuiltinScope("Flash")>

        <cfreturn isDefined("fs")>

    </cffunction>

</cfcomponent>

Disclaimer: It’s not 100% secure, but it’s a nice step. What it does is make sure the CFC was invoked through the Flash Remoting gateway. That way cfc’s can have access=”remote” and not be invoked on the url or via web services. However, the FR gateway is still wide open so someone can create a flash app locally to run against someone else’s FR gateway to access the CFC.

Make sure that you have read the disclaimer as well! Feel free to use the comments section to share any other tips that you have to protect CFCs used for Flash Remoting from being abused/consumed by ‘unauthorized’ applications.

2 responses so far

2 Responses to “Flash Remoting through ColdFusion Components”

  1. Martijn says:

    As if you put a “buy a key on every corner lock” on your applications…… No solution yet. I know crossdomain.xml inFlash player 7.

    Macromedia speak out to your developer community. We cannot find much (enough) on this issue.