Flash Remoting.com
Home Book Examples Blog Resources About

You are using an out-of-date browser so the pages will not display properly. Please update your browser.

Random thoughts on Flash Remoting:

This is where I get to ramble when I feel like it. Kind of like a blog, but it's not a blog. This is a blog. ;-).

98 posts.

1/06 | 9/05 | 8/05 | 7/05 | 10/04 | 8/04 | 7/04 | 6/04 | 4/04 | 3/04 | 2/04 | 1/04 | 12/03 | 11/03 | 10/03 | 9/03 | 8/03 | 7/03 | 6/03 | 5/03 | 4/03 | 3/03 | 1/03 | 12/02 | 11/02

Populating Multiple comboboxes from one remote function

Wednesday, May 21, 2003 7:01:49 PM

There was a question on the Flash Remoting newsgroup yesterday about populating multiple combo boxes from Flash Remoting services. I worked up a quick example that demonstrates using one remote function to handle all the query results. Basically, the CFC contains package methods that create the queries. This way the database functionality is not exposed to the Flash movie at all:

<cffunction name="getEmployees" access="package" returntype="query">
  <!--- getEmployees body --->
  <cfquery name="rsEmployees" datasource="Northwind"
   SELECT EmployeeID, LastName + ', ' + FirstName as EmployeeName FROM Employees
  <cfreturn rsEmployees />

Notice also that the query is cached for 7 days. That prevents calls to the database for frequently accessed queries that don't change very often. Each package method is then called by the remote method getAll() to populate a struct with all the queries:

 <cffunction name="getAll" access="remote" returntype="struct">
  <!--- getAll body --->
   returnObj = StructNew();
   returnObj.Categories = this.getCategories();
   returnObj.Suppliers = this.getSuppliers();
   returnObj.Regions = this.getRegions();
   returnObj.Employees = this.getEmployees();
   return returnObj;

This is the only method that will be called by the Flash movie. Each query is packed into the struct. The Flash movie will have to pull these queries out of the struct to populate the combo boxes in the user interface. This happens in the responder function:

function getAll_Result(result) {
  ComboBoxFill(employees_cb, result.Employees,"--Choose an employee--");
  ComboBoxFill(suppliers_cb, result.Suppliers,"--Choose a supplier--");
  ComboBoxFill(regions_cb, result.Regions,"--Choose a region--");
  ComboBoxFill(categories_cb, result.Categories,"--Choose a category --");

function ComboBoxFill(cbName, rs, zeroElement){
  var fields = rs.getColumnNames();
  // if there is a descriptive text to put in the Combo box
  // put it in the 0 position of the RecordSet
  if(zeroElement != null) {
    var temp = {};
    rs.addItemAt(0, temp);
    rs.setField(0,fields[0], 0);
  var idField = '#' + fields[0] + '#';
  var descField = '#' + fields[1] + '#';
  DataGlue.bindFormatStrings(cbName, rs, descField, idField);

The the generic combo box function uses DataGlue to bind the RecordSets to the combo boxes. Notice also that the added option of "-- Choose a ..." is added to each combo box as well.

The example can be seen here.

Add comment (3)
View comments

Flash Remoting MX: The Definitive Guide available for preorder

Monday, May 19, 2003 5:04:59 PM

Well, the book finally made it to Amazon.com: Flash Remoting MX: The Definitive Guide. If any of you have been wondering when this site will start having some content, it will be soon, now that the book is finished. It's scheduled to start shipping in Summer 2003.

Add comment (2)
View comments

FlashGatekeeper: Flash Remoting Security tool

Friday, May 16, 2003 7:07:59 AM

I received this from Alon Salant yesterday. Many of you may know Alon from the ASTranslator project for Flash Remoting for J2EE. Alon has created a new project which may be a big step towards securing remote services and restricting the services that a Flash client can have access to. It's called FlashGatekeeper. Below is Alon's email:

"Hey all,


I’ve just released FlashGatekeeper, a simple implementation that allows users of Flash Remoting for J2EE and for ColdFusion Enterprise to restrict the services that can be accessed through the Flash Remoting gateway. It uses openAMF to parse the AMF message coming from Flash, inspects the message for the service names being invoked, checks the names against a list in a properties file, returns 403 Forbidden if the name is not in the file and allows the request to continue if so.

From the docs linked above:

Macromedia Flash Remoting is implemented as a servlet that uses introspection to invoke methods on a class in the application server. The class and method are both named by the Flash client. A Flash MX client can invoke any method through the Flash Remoting gateway on any class that has a no argument constructor and can therefore be created by the Flash Remoting gateway servlet using Class.forName("package.ClassName").newInstance( ). It can also invoke any method on any EJB home interface that it can find in JNDI.

This opens up many potential security issues. A malicious user could write a Flash client to access known core Java classes, classes in the application server APIs, or classes in your application. The potential exploits are numerous. A Flash client could access application server classes to manipulate the state of the server or gain access to protected information.
< /snip>

FlashGatekeeper addresses these issues."

I have not tried this yet but it looks extremely promising. Give this a try and post to the comments or get in touch with Alon with any suggestions.

Add comment (0)
View comments

Remoting service tester for Flash

Thursday, May 08, 2003 8:13:16 AM

Today Branden Hall released a cool tool for Flash Remoting that enables you to test your remote services easily through a panel interface. All you have to do is input the URL of the gateway, the service path, and the method call, and the response or error will be shown in the panel. This is great for doing quick tests of remote services without having to write a bunch of ActionScript to do it. The panel is available at Community MX for free.


Community MX also has other free content available:


Add comment (0)
View comments

Code for securing Flash Remoting services against non-Flash clients

Wednesday, May 07, 2003 2:47:56 PM

Many people are concerned about Flash Remoting services being accessible as web services to clients other than Flash movies. For example, a service set up as a Flash Remoting service can be called easily from a browser window:


The reason for this is that you have to specify access="remote" in your <cffunction> tag in order to make the function work with Flash Remoting. This is also the attribute that you use to create a public web service.

Sam Neff posted some code on a list this morning that will make sure that the remote call is coming from a Flash movie, and not from some other service. This was Sam's post and subsequent disclaimers:

"BTW, if anyone's interested, here's the hack we came up with to secure
CFC's with access="remote" to be only called from Flash:

  <cffunction name="isFlashCall" returnType="boolean" access="remote"
    <cfset var fs = getPageContext().SymTab_findBuiltinScope("Flash")>
    <cfreturn isDefined("fs")>

Disclaimer: It's not 100% secure, but it's a nice step. What it does is make sure the CFC was invoked through the Flash Remoting gateway. That way cfc's can have access="remote" and not be invoked on the url or via web services. However, the FR gateway is still wide open so someone can create a flash app locally to run against someone else's FR gateway to access the CFC.

[The code] uses undocumented internal features and may not work in a future version of CFMX."


Add comment (1)
View comments

1-5 | 6-10 | 11-15 | 16-20 | 21-25 | 26-30 | 31-35 | 36-40 | 41-45 | 46-50 | 51-55 | 56-60 | 61-65 | 66-70 | 71-75 | 76-80 | 81-85 | 86-90 | 91-95 | 96-98