This TechNote describes how to use Flash Remoting with ColdFusion's built-in authentication mechanism and ColdFusion components. It shows how to use the ActionScriptsetCredentials method on the Flash side to pass credential information to the cflogin tag on the ColdFusion side. This TechNote assumes you are already familiar with using Flash Remoting to pass data between Flash applications and ColdFusion components. It also assumes you are familiar with application security in ColdFusion MX.

Step 1:
Create a function within your Flash application which will use thesetCredentials method to pass a username and password from Flash to a ColdFusion component (cfc). ThesetCredentials method is a method of the NetConnection object. The use of setCredentials in a Flash application is analogous to using an html form with j_username and j_password form fields to pass login information to ColdFusion in a non-Flash application.

For example, if you have an ActionScript function called CallSecureCFC, the following code would pass a userid and password from Flash textboxes to a ColdFusion cfc function called mySecureFunction:

 function CallSecureCFC() {   CFCResponse_txt.text = "";   CFCError_txt.text = "";   gatewayConnection.setCredentials      (userid_txt.text, pwd_txt.text);   myCFCService.mySecureFunction();   } function mySecureFunction_Result(result) {   CFCResponse_txt.text = result;   } function mySecureFunction_Status(error) {   CFCError_txt.text = error.description;   } 

This code assumes you have previously established a gatewayConnection from Flash to ColdFusion using theNetServices.createGatewayConnection() method. It also assumes you have created a service object called myCFCService which is bound to your CFC. In this example, I have also created two Flash text boxes, CFCResponse_txt and CFCError_txt, to capture the results of calling the ColdFusion function.

Step 2:
Use the cflogin and cfloginuser tags to authenticate the username and password passed with thesetCredentials method and assign one or more roles to the user. For example, the following code, typically included in the Application.cfm, would validate a username and password against security information stored in a database table:

 <CFAPPLICATION NAME="FlashCredentials"><CFLOGIN><CFIF isDefined("cflogin")><CFQUERY NAME="qSecurity"        DATASOURCE="UserRolesDb">        SELECT Roles FROM SecurityRoles        WHERE username='#cflogin.name#'        and password='#cflogin.password#'</CFQUERY><CFIF qSecurity.recordcount gt 0><CFLOGINUSER NAME = "#cflogin.name#"           PASSWORD = "#cflogin.password#"           ROLES = "#trim(qSecurity.Roles)#" ></CFIF></CFIF></CFLOGIN> 

Step 3:
Create a ColdFusion component with a function that uses the "Roles" attribute to limit access to that specific function. Specify a comma-delimited list of roles which will have access to your function.

 <CFCOMPONENT><CFFUNCTION NAME="mySecureFunction"     ACCESS="remote"     RETURNTYPE="string"     ROLES="Dude"><CFRETURN "Hi #getAuthUser()# - Welcome aboard!" ></CFFUNCTION></CFCOMPONENT> 

While testing this functionality, it is important to note that the body of the cflogin tag only executes if there is no logged-in user. Therefore, if you try to test intentionally passing a bad password, or changing users, after you have already been successfully authenticated, the cflogin tag will not execute again and ColdFusion will continue to recognize you as the user you logged in as previously. In this scenario, you will have to close the Flash development environment in order to remove your authentication cookie from memory. If you have already published your Flash movie to a .swf file, you will have to close your browser or flash player in order to remove the authentication cookie. An alternative to this would be to code a logout function in your cfc which could be called from Flash. This will remove the authentication cookie from memory without having to close Flash or your browser. For example:

 <CFFUNCTION NAME="LogMeOut" ACCESS="remote"  RETURNTYPE="string"><CFSET AuthUser = getAuthUser()><CFLOGOUT><CFRETURN "User #AuthUser# logged out" ></CFFUNCTION> 

It is also important to use conditional logic to run cfloginuser only if a valid user has logged in. This example accomplishes this task with <CFIF qSecurity.recordcount gt 0>. This test works because the query returns a result only if the user supplied a valid name-password pair, and all users have at least one role. If this check were not included, the code would log in an invalid user (who would be assigned an empty role list (Roles = "" )). Without this check, if a user accidentally had a typo in the password, they would not have a valid role and not be able to try to log in again until they logged out. Again, this is because the cflogin tag would not execute because a user was logged in (even though the list of roles is empty).

Additional Information

• Using Macromedia Flash Remoting MX with Macromedia ColdFusion MX (9938)
• Enabling access from Macromedia Flash to web services using the Flash Gateway in ColdFusion MX Updater 3 (18608)
• Documentation for NetConnection.setCredentials

Products affected