Solved

Flex Application Calling Web Services (Behind the Firewall)

Posted on 2009-05-20
8
478 Views
Last Modified: 2012-05-07
Hello all,

I'm a newbie to Flex and am struggling to wrap my arms around security in general, but most of all am trying to understand any limitations I may be facing...

I would like to deploy a Flex application to our corporate DMZ, and would like that application to interact with web services that are protected behind our firewall (can't be accessed from the net, directly).  I am familiar with the crossdomain.xml file required to talk across domains, within Flex, but am not sure if this will enable communication inside the firewall???  

I'm assuming that there is a way to do this, as Flex applications can talk to a database, which I assume are mostly behind corporate firewalls.  I'm working with our network folks now to try and get a proof-of-concept deployed to our DMZ, but thought I would reach out to the experts!

Is what I'm trying to do pretty straight-forward?  Are there best practices for accomplishing what I'm trying to achieve?  

I also have to prepare a justification for deploying Flex in our current environment, and have to speak to how a Flex deployment won't enable a hacker to access systems/data behind our firewall, once the application is deployed and talking to web services inside our network.  Any information that can be shared to put our security folks at ease would be greatly appreciated!

Thanks in advance for any information!

Best Regards,
Todd Peterson
0
Comment
Question by:ToddBPeterson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 19

Expert Comment

by:Jones911
ID: 24433889
If you need to access internal webservices you could allow the IP address of only the Front ( web accessible ) machine to get through the firewall.  Inless you allow access from the webserver to the internal server providing the web service it wont work.  This way you should be protected as only the webserver has direct access to the web services.  And all requests from the flex client are relayed via the webserver.
0
 

Author Comment

by:ToddBPeterson
ID: 24436125
Thanks so much for the response!  I suspected that I might have to allow the web servers IP access to the WS, internally.  I also suspect I'm going to have a tough sell with our network folks to allow that to happen, but if that's my only alternative...

So, it is the web server that would be relaying requests to the web services, on behalf of the Flex client?  I'm struggling with understanding how/what really happens "server side", vs. what and how much gets downloaded to the client.  If everything was downloaded to the client, there would be no way of accessing internal web services from the .swf.  Therefore, it is apparent that there is some server side presence...  Is there any documentation folks have found to be useful in understanding this better?  I have looked at some of the Adobe Live Docs, and have googled to some extent...  I'm hoping someone has some suggestions on good reference material that will explain this, as well as help me address any security concerns with our security folks.

Thanks again, and Best Regards,
Todd
0
 
LVL 19

Expert Comment

by:Jones911
ID: 24436431
Well if you need to access dat from the webservice then this is what is called from the client.  You could set up a proxy on the webserver to relay the ws requests.

But yes if you were able to get all the data embeded into the swf then there woudl be no need to go back to the server but this might be unrealistic in your case it really depends on the needs.

Let take a simple example.  An RSS reader in a flex application

Client requests the felx app from your server, server sends back the swf, swf is now in your browser and requests data from the rss feed ( some other server ).


Server ---------------->  Client <---------------- Some other server with ( RSS or WS)
0
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

 

Author Comment

by:ToddBPeterson
ID: 24443430
Thanks again!  I sincerely appreciate the feedback!

I'm still struggling with this, and I'm sure it's just me!  ;-)

The notion of the app getting entirely downloaded to the client (swf) is a new paradigm for me.  I get it, but I don't understand the architecture of how one might go about getting data from the server, on an as-needed basis.  With the the application being resident on the client, how does a typical application make a call back to the server (which hosted the swf), in order to talk to other backend services?

The model I'm working with looks more like this...

   Internet               Corporate DMZ                      Corporate Network
                       |                    |                |
Client<---------|------>WebServer<--------------|------>Web Service<----|---->Database
       |                      |                |
                   DMZ                       internal firewall                   internal firewall


If you take, for instance, the classic Scott-Tiger scenario, with the above model in mind, what would the architecture look like for the following scenario?
    1. SWF delivered to the client has a dropdown list of all departments in the company
    2. User selects a specific department and hits submit...  (here's where I start to lose understanding
    of the architecture)
    3. Submission should call the web server, which in turn invokes a getEmployees() web service call
    on an internal web service
    4. getEmployees() web service executes a query on the database and returns the results back to the
    consumer (web server)
    5. Web server delivers the content back to the client (not sure how this works in the Flex/SWF
    framework?)

A basic constraint is that the web service is not exposed to the internet...  It can only be accessed by the web server (which may require IP filtering as earlier suggested).  An assumption is that I would not load all departments and all employees on the client.  I would want to go get the data I needed, as the client interacted with the interface.

Obviously, my first question is how/what goes into this basic architecture?  I already deploy standard web applications today, that participate in this type of framework, where the web server hosts Java and/or .Net applications, that can make web service calls into the network (one caveat is that there is an application server inside the corporate network, which prevents the web server from needing to have ports opened up to talk to the web services).  I'm just unclear how it would be architected in the Flex framework, where the application ultimately resides on the client, once the SWF is downloaded.

My second question is, assuming, with some education, this framework is doable and standard.  I need to understand (so I can communicate) how the solution is secure, as opening ports from the DMZ to the internal network is not often authorized.

Again...  Thanks so much for any and all thoughts and feedback!

Best Regards,
Todd
0
 

Author Comment

by:ToddBPeterson
ID: 24443447
My apologies!  The lines in my model didn't come out as I had hoped, in the final submitted comment...  Hopefully the separation of infrastucture components is clear?

Best Regards,
Todd
0
 
LVL 19

Accepted Solution

by:
Jones911 earned 500 total points
ID: 24444132
With the the application being resident on the client, how does a typical application make a call back to the server (which hosted the swf), in order to talk to other backend services?

I use Coldfusion and remoting calls from the browser back to my webserver.  From the webserver if I need to get anything internal I use webservices.  Most of the time I dotn need to do this as I have the database on a seperate non web accessable box and all my data can be access from the CF application server.

Basicalyy your outline is what I woudl expect the setup to look like.
0
 

Author Comment

by:ToddBPeterson
ID: 24451280
I'm tracking now!  "Remoting" was the piece I was missing!

Thanks so much for the help!  I'm off to learn some more!

Best Regards,
Todd
0
 

Author Closing Comment

by:ToddBPeterson
ID: 31584391
"Remoting" was the missing link for me.  When googling for solutions on "Flex", "Database Access", "Web Services", "Security", etc...  the list of threads typically hovered around topics like cross-domain techniques.  Cross domain access is initiated by the browser, since the SWF is loaded to the clients browser, which wouldn't work in my architecture, where the source of data provision was an internal facing web service.  The browser would never be able to access that web service.  Using remoting, though, I can have the client/browser interacting with a web application (internet facing), and have that web application make calls to the internal web services, since that web application would reside in our corporate DMZ.

Now I just need to go write some code and see if I can get a working POC!
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Converting PDF to SWF with video embedded 11 460
FLex Calendar 3 564
How to convert  OBJECT to String instead of [object Object] in ActionScript 6 652
Adobe upload listbox 2 509
First things first - Preparation We need all the part for this install and it's much nicer to have them all on hand when you need them so here's what's required. Download Eclipse 3.5 32 bit (I like the Classic flavour) from here. (http://www.e…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question