Comments on: Securing AMFPHP 1.9 via Authentication

By: Omid

Omid — Wed, 11 Jun 2008 19:39:22 +0000

Very useful
TNX

By: The Flash Blog » AMFPHP Security Basics

The Flash Blog » AMFPHP Security Basics — Wed, 06 Aug 2008 03:53:07 +0000

[…] thrown. It is inside this function that you can do some type of authentication. Joshua Ostrom has a nice blog post that goes into more details on […]

By: Seguran�a Flash + PHP + AMFPHP | Webcore Blog

Seguran�a Flash + PHP + AMFPHP | Webcore Blog — Thu, 14 Aug 2008 23:31:07 +0000

[…] b�sicas; Tutorial de integra��o em v�deo; Autentica��o; as3corelib - biblioteca com classes […]

By: Ben Throop

Ben Throop — Wed, 03 Sep 2008 22:05:32 +0000

Good post. Do you know if it’s possible to return different values when beforeFilter fails? I want one failing state to return a message that says “This happened” and the other failing state to return a message that says “That happened”. The problem is that AMFPHP is the one sending the fault and it always comes back as:

faultCode String AMFPHP_AUTHENTICATE_ERROR
faultDetail String /amfphp/core/shared/app/BasicActions.php on line 121
faultString String Method access blocked by beforeFilter in PublisherService class

Any ideas?

By: Joshua

Joshua — Mon, 08 Sep 2008 12:22:49 +0000

Ben,
Take a look at line 120 of AMFPHP’s core/shared/app/BasicActions.php. Here’s the code

if ($allow === ‘__amfphp_error’ || $allow === false) {
$ex = new MessageException(E_USER_ERROR, “Method access blocked by beforeFilter in ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
MessageException::throwException($amfbody, $ex);
return false;
}

You could do something along the lines of

if ($allow !== true)
{

if($allow === ‘__amfphp_error’ || $allow === false)
$ex = new MessageException(E_USER_ERROR, “Method access blocked by beforeFilter in ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);
else
$ex = new MessageException(E_USER_ERROR, $allow . ” ” . $className . ” class”, __FILE__, __LINE__, “AMFPHP_AUTHENTICATE_ERROR”);

MessageException::throwException($amfbody, $ex);
return false;
}

Where you return the error string (instead of false) from your before filter. If you *do* return false from your before filter, the legacy AMFPHP error is thrown.

Hope that helps!!

By: cooljackd

cooljackd — Sat, 13 Sep 2008 02:59:56 +0000

hi how would you call the service from flash to validate the Authentication.

By: Joshua

Joshua — Fri, 19 Sep 2008 03:43:49 +0000

cooljack

Make a call to a php script that validates the login credentials. If successful you could call

Authenticate::login($usrer,$roles);

and to destroy the session (logout)

Authenticate::logout();

Let me know if you need further assistance.

By: steve

steve — Sun, 09 Nov 2008 03:47:45 +0000

what about the json.php file? How do you secure that? So someone can’t run www.mysite/json.php/PHPclass.function/var1/var2/var3 ???

By: kevin

kevin — Thu, 15 Jan 2009 07:01:26 +0000

Hi,

I’m having a bit of trouble understanding how to implement this and was hoping you could point me in the right direction..

I defined a class as follows but when I call the getData method from Flex, it returns fine without any authentication occuring:

memberName) ? Authenticate::isUserInRole($this->$memberName) : true;
}

var $SecuredClassRoles = “admin”;
var $GetDataRoles = “admin”;

public function SecuredClass() {

}

public function GetData() {

return “You Got In”;

}

Also, I noticed you posted on Wade’s site asking whether this is the ‘best’ way to implement auth - did he give you an answer or have you an updated opinion?

cheers!