Flex Remoting: channels, destinations and SSL

26 08 2008

If you’re like me, then you’ve gotten well into flash remoting as a solution for Flex Data Messaging. You’re using AMF to allow the creation of remote objects between actionscript on the client and some server language (PHP, Java, .NET, etc).

I’ve been running into troubles with WebORB (v3.5) and setting channels that work.

Essentially, for whatever reason, my compiled app didn’t register the changes in my services-config.xml file that resides in the WEB-INF folder of whatever software you’re using to interface with the server side language. And believe me, I tried it a thousand different ways.

The easiest way to override this faulty behaviour is to set the channels and endpoints inside your flex app when you’re building the remote object.

You can see below a solution in weborb for .NET (hence the weborb.aspx endpoint)



protected static function init(serviceName:String, isSecure:Boolean = false):void

var destination:String;

var remoteObject:RemoteObject = null;

var channelSet:ChannelSet = new ChannelSet();

var channel:Channel;

if (isSecure)
destination = “MySecureDestination”;

channel = new SecureAMFChannel(null,”weborb.aspx”);
destination = “MyDestination”;

channel = new AMFChannel(null,”weborb.aspx”);


remoteObject  = new RemoteObject(destination);

//30s timeout on requests
remoteObject.requestTimeout = 30;

remoteObject.showBusyCursor = true;

remoteObject.source = “My.Name.Space.” + serviceName;

remoteObject.channelSet = channelSet;



And in my remoting-config.xml file:


<destination id=”MyDestination”>

<destination id=”MySecureDestination”>
<channel ref=”my-secure-amf” />


As you first start using the SSL option, you may find you start receiving an error about cross domain security issues between HTTP and HTTPS. The deal is that if you are loading your SWF from HTTP, you require a crossdomain.xml policy file in the root of your website to allow HTTPS access.

From Adobe Flex 3 Help: crossdomain.xml


<allow-access-from domain=”*.mydomain.com” secure=”false”/>


As the Help mentions, you don’t require the crossdomain policy if you’re calling HTTP from a HTTPS loaded swf.



7 responses

27 08 2008
Mark Piller

Sounds like the problem you’re experiencing is caused by a bug in Flex Builder that chooses to cache services-config.xml when you initially set it up. If you make any changes to your channels, make sure to do Project > Clean in Flex Builder to force to reset the config file cache.

27 08 2008
Justin J. Moses


That sounds about right. I couldn’t find out what was caching what, but i was suspect something was going on.

One thing though, I was Exporting a Release Build and deploying on another machine and I was still experiencing the problem. Wouldn’t a Release Build do a clean as part of the process?


27 08 2008
Mark Piller

I would not know for sure, but there’s only one way to find out 🙂 I suspect exporting a release build does not refresh the config files.
Adobe has known about this problem since Flex Builder 2.0. It is strange they still have not fixed it.

2 09 2008

Hi Justin,

I’ve recently started using AMFPHP and Remote Objects in Flex and am a little confused about security.

As you’ve shown above, it’s possible to create the connections programmatically – but wouldn’t this then expose the methods you use to connect to a backend server to anyone who wishes to decompile your swf?

Same with securing channels as my understanding is you’d have to either embed the credentials in the swf or have the user enter them (which can then be shared).

Seems to me like the communcation over https is less useful if people can find out how to talk directy to your server.

Have I missed something?


2 09 2008
Justin J. Moses

Yes, it is better to use the services-config.xml and remoting-config.xml files. The reason I was using the channel actionscript was due to a bug that Mark mentions above where Flex Builder caches those config files.

Regardless, you should not embed credentials, they should be sent by the user on login.

When I code, I ensure that the user has a sessionID after login (created by the server). Every sensitive service I’ve exposed requires the User object, which confirms they are from a valid, open session, that can only be created through a login. The user object is passed through HTTPS so neither it, not the credentials, can be retrieved by a malicious individual.

I’m not sure about AMFPHP, but WebORB (which handles PHP as well) has quite advanced security. Allowing you to manage which services are exposed, which require a logged in user (authenticated), and which require certain user roles (authorization).

WebORB is a fantastic soltuion really, but there are two things to note:
1. It is not open source
2. If you are using their product in an application that is making money, you need to get a support plan, cause the free license won’t cover it.

3 09 2008

Thanks Justin.

I had thought about creating a token/ID and perhaps storing in a local Encrypted Store on first launch. But can’t visualise this being ‘safe’. Best way is to code and test so will do that today.

I’ll take another look at WebORB too.


8 01 2009
Recent Links Tagged With "channels" - JabberTags

[…] public links >> channels Flex Remoting: channels, destinations and SSL Saved by shinoooo on Thu 25-12-2008 Stuff I Like: Sports! (not the album by Huey Lewis) Saved by […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: