Configuring the whitelist for Flex applications
This TechNote will describe the purpose of the whitelist, as well as how to configure the whitelist for accessing web services, HTTP services and remote objects.
Flex provides proxy and gateway servlets that intercepts requests to web services, HTTP services, and remote objects. To prevent the servlets from being used to stage denial of service (DOS) attacks or to allow unauthorized access to services, Flex uses a whitelist to control access to the server.
The whitelist is a list of URLs that the administrator explicitly gives the proxy servlet access to. Any URL that is not included in the whitelist is not allowed to pass through the proxy servlet. There are three sets of whitelist attributes in the flex-config.xml file. They are for web services, HTTP service and remote object. If you need access to either web services or HTTP service, then you need to define the URL in the proper whitelist section. For remote objects, specify Java classes.
Notes:
- Make sure to place all URL definitions in the appropriate location of the flex-config.xml file. HTTPService, web service and remote objects each have their own autonomous section with unique URL definitions. Placing a URL definition in one section will not affect security restrictions for any other section.
If you try to access a service or object that the server has not defined (or is defined in the wrong area) you will receive an access error. For instance, if you tried to call an HTTP service that was not defined you would receive the following message:
"WARN PROXY SECURITY : You are not allowed to access the URL." - You should not define different services with the same service name. For example, if you define two services under<http-service-proxy>:
<service name="myService"><url>http://localhost:8101/samples/lin/get_jrun_root.jsp</url></service><service name="myService"><url>http://localhost:8101/samples/lin/palm.xml</url></service>
then Flex will point to http://localhost:8101/samples/lin/get_jrun_root.jsp whenever you reference "myService" - it will never point to http://localhost:8101/samples/lin/palm.xml.
The following tables provide several examples for configuring the whitelist sections of the flex-config.xml file:
HTTP Service
unnamed service
| MXML code | definition in flex-config.xml (without authentication) |
| <!-- Use absolute URL -->
<mx:HTTPService id="myXML" url="http://localhost:8101/samples/lin/palm.xml" method="get" fault="alert(event.fault.faultstring);" resultFormat="object"/> <!--Use relative URL --> <mx:HTTPService id="myprop" url="@ContextRoot()/lin/getSystemProperties.jsp" method="get" showBusyCursor="true" fault="alert(event.fault.faultstring);" resultFormat="text"/> |
<http-service-proxy>
... <whitelist> ... <unnamed> ... <url>http://{localserver}/*</url> </unnamed> </whitelist> </http-service-proxy> Note: http://{localserver}/* is all ports on the {localserver}. You can open the proxy to a single port by using http://{localserver}:<portnum>/* |
named service
| MXML code | definition in flex-config.xml (without authentication) |
| <mx:HTTPService id="mypath"serviceName="myService" method="get" fault="alert(event.fault.faultstring);" resultFormat="text"/> | <http-service-proxy>
... <whitelist> ... <named> ... <service name="myService"> <url>http://localhost:8101/samples/lin/get_jrun_root.jsp</url> </service> </named> </whitelist> </http-service-proxy> |
RemoteObject
unnamed service
| MXML code | definition in flex-config.xml (without authentication) |
| <mx:RemoteObject id="VDetector" type="stateless-class"
source="VersionDetector"> |
<remote-objects>
... <whitelist> ... <unnamed> ... <source>*</source> </unnamed> </whitelist> </remote-objects> |
named service
| MXML code | definition in flex-config.xml (without authentication) |
| <mx:RemoteObject id="VDetector" type="stateless-class"
named="myService"> |
<remote-objects>
... <whitelist> ... <named> .... <object name="myService"> <source>VersionDetector</source> <type>stateless-class</type> <use-custom-authentication>false</use-custom-authentication> <allow-unnamed-access>false</allow-unnamed-access> </object> </named> </whitelist> </remote-objects> |
Web Services
unnamed service
| MXML code | definition in flex-config.xml (without authentication) |
| <mx:WebService id="foo" wsdl="http://somewhere.com/my.wsdl"
service="myService" port="name" /> |
<web-service-proxy>
... <whitelist> ... <unnamed> .... <url>http://somewhere.com/services/*</url> </named> </whitelist> </web-service-proxy> |
named service
| MXML code | definition in flex-config.xml (without authentication) |
| <mx:WebService id="foo"serviceName="myService" /> | <web-service-proxy>
... <whitelist> ... <named> .... <service name="myService"> <wsdl>http://somewhere.com/webservice.wsdl</wsdl> <endpoint>http://somewhere.com/myservice</endpoint> </service> </named> </whitelist> </web-service-proxy> |
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
