Next build of my Flex 2/ColdFusion Security Homework

This post is more than 2 years old.

If you don't know what I'm talking about, check this post. Essentially - I'm trying to wrap my brain around how to best get Flex 2 talking to ColdFusion in a secure manner. My earlier posts showed how to graphically start up with a login screen, require you to login, and then switch to the main view.

Today I've actually hooked up my Flex code to a real CFC. Let's look at how I did that. The first new lines to my Flex code are:

<mx:RemoteObject id="core" destination="ColdFusion" source="demos.flexsec3.core" showBusyCursor="true" >
&lt;mx:method name="authenticate" fault="alertMsg(event.fault.toString())" result="checkAuthResult(event)" /&gt;


This creates an object named "core" that represents my ColdFusion Component. Notice the "source" attribute is the "dot" path, from web root, to the CFC. (More on that later.) I have only one method defined, authenticate, and I've set up both a fault handler and a result handler.

The fault handler simply dumps the error, so lets look at checkAuthResult:

private function checkAuthResult(event):void { var result = event.result; if(result == 'false') {"Authentication failed", "Errors", mx.controls.Alert.OK); } else { mainView.selectedChild = mainStage; } }

My CFC, which I'll show in a second, will return either true or false. I check the contents of this variable, and depending on the result, either show an error or hide the login stage.

Prety simple, right? The CFC doesn't do much yet. It's authenticate method simply has this:

<cfif arguments.username is "admin" and arguments.password is "dharma"> <cfreturn true> <cfelse> <cfreturn false> </cfif>

Since this is only a demo I'm not going to worry about hooking it up to a database.

So - let me review what I've done: I've defined a CFC service in my Flex code named core. (Not a very descriptive name, but...) I defined a method on this CFC and what Flex should do on error and on the result. I then check the result and either tell the user he didn't login correctly or go ahead and show the main application.

My questions/problems are:

  1. It seems like the source attribute must be hard coded. This has always been a pain in the butt for me (well, "always" for the few Flex 2 applications I've built) as it means I have to change it from source to production. Obviously I could have set up things differently, but I wish I could abstract that value out - perhaps into Flash Vars. Is that possible?
  2. I'm not storing the username and password. As I have no idea (yet!) how I'm going to talk securely to the CFC backend, I don't know if I need to. I assume I will - but for now I don't both storing the values.
  3. As I mentioned, the fault handler should be more intelligent. Any application based on back end services like this should have some nice error handling.

If you want to view this demo, please go here:

As before - please feel free to point anything I did wrong.

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate for HERE Technologies. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA