Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Flex Application Calling Web Services (Behind the Firewall)

Posted on 2009-05-20
Medium Priority
Last Modified: 2012-05-07
Hello all,

I'm a newbie to Flex and am struggling to wrap my arms around security in general, but most of all am trying to understand any limitations I may be facing...

I would like to deploy a Flex application to our corporate DMZ, and would like that application to interact with web services that are protected behind our firewall (can't be accessed from the net, directly).  I am familiar with the crossdomain.xml file required to talk across domains, within Flex, but am not sure if this will enable communication inside the firewall???  

I'm assuming that there is a way to do this, as Flex applications can talk to a database, which I assume are mostly behind corporate firewalls.  I'm working with our network folks now to try and get a proof-of-concept deployed to our DMZ, but thought I would reach out to the experts!

Is what I'm trying to do pretty straight-forward?  Are there best practices for accomplishing what I'm trying to achieve?  

I also have to prepare a justification for deploying Flex in our current environment, and have to speak to how a Flex deployment won't enable a hacker to access systems/data behind our firewall, once the application is deployed and talking to web services inside our network.  Any information that can be shared to put our security folks at ease would be greatly appreciated!

Thanks in advance for any information!

Best Regards,
Todd Peterson
Question by:ToddBPeterson
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 19

Expert Comment

ID: 24433889
If you need to access internal webservices you could allow the IP address of only the Front ( web accessible ) machine to get through the firewall.  Inless you allow access from the webserver to the internal server providing the web service it wont work.  This way you should be protected as only the webserver has direct access to the web services.  And all requests from the flex client are relayed via the webserver.

Author Comment

ID: 24436125
Thanks so much for the response!  I suspected that I might have to allow the web servers IP access to the WS, internally.  I also suspect I'm going to have a tough sell with our network folks to allow that to happen, but if that's my only alternative...

So, it is the web server that would be relaying requests to the web services, on behalf of the Flex client?  I'm struggling with understanding how/what really happens "server side", vs. what and how much gets downloaded to the client.  If everything was downloaded to the client, there would be no way of accessing internal web services from the .swf.  Therefore, it is apparent that there is some server side presence...  Is there any documentation folks have found to be useful in understanding this better?  I have looked at some of the Adobe Live Docs, and have googled to some extent...  I'm hoping someone has some suggestions on good reference material that will explain this, as well as help me address any security concerns with our security folks.

Thanks again, and Best Regards,
LVL 19

Expert Comment

ID: 24436431
Well if you need to access dat from the webservice then this is what is called from the client.  You could set up a proxy on the webserver to relay the ws requests.

But yes if you were able to get all the data embeded into the swf then there woudl be no need to go back to the server but this might be unrealistic in your case it really depends on the needs.

Let take a simple example.  An RSS reader in a flex application

Client requests the felx app from your server, server sends back the swf, swf is now in your browser and requests data from the rss feed ( some other server ).

Server ---------------->  Client <---------------- Some other server with ( RSS or WS)
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control


Author Comment

ID: 24443430
Thanks again!  I sincerely appreciate the feedback!

I'm still struggling with this, and I'm sure it's just me!  ;-)

The notion of the app getting entirely downloaded to the client (swf) is a new paradigm for me.  I get it, but I don't understand the architecture of how one might go about getting data from the server, on an as-needed basis.  With the the application being resident on the client, how does a typical application make a call back to the server (which hosted the swf), in order to talk to other backend services?

The model I'm working with looks more like this...

   Internet               Corporate DMZ                      Corporate Network
                       |                    |                |
Client<---------|------>WebServer<--------------|------>Web Service<----|---->Database
       |                      |                |
                   DMZ                       internal firewall                   internal firewall

If you take, for instance, the classic Scott-Tiger scenario, with the above model in mind, what would the architecture look like for the following scenario?
    1. SWF delivered to the client has a dropdown list of all departments in the company
    2. User selects a specific department and hits submit...  (here's where I start to lose understanding
    of the architecture)
    3. Submission should call the web server, which in turn invokes a getEmployees() web service call
    on an internal web service
    4. getEmployees() web service executes a query on the database and returns the results back to the
    consumer (web server)
    5. Web server delivers the content back to the client (not sure how this works in the Flex/SWF

A basic constraint is that the web service is not exposed to the internet...  It can only be accessed by the web server (which may require IP filtering as earlier suggested).  An assumption is that I would not load all departments and all employees on the client.  I would want to go get the data I needed, as the client interacted with the interface.

Obviously, my first question is how/what goes into this basic architecture?  I already deploy standard web applications today, that participate in this type of framework, where the web server hosts Java and/or .Net applications, that can make web service calls into the network (one caveat is that there is an application server inside the corporate network, which prevents the web server from needing to have ports opened up to talk to the web services).  I'm just unclear how it would be architected in the Flex framework, where the application ultimately resides on the client, once the SWF is downloaded.

My second question is, assuming, with some education, this framework is doable and standard.  I need to understand (so I can communicate) how the solution is secure, as opening ports from the DMZ to the internal network is not often authorized.

Again...  Thanks so much for any and all thoughts and feedback!

Best Regards,

Author Comment

ID: 24443447
My apologies!  The lines in my model didn't come out as I had hoped, in the final submitted comment...  Hopefully the separation of infrastucture components is clear?

Best Regards,
LVL 19

Accepted Solution

Jones911 earned 2000 total points
ID: 24444132
With the the application being resident on the client, how does a typical application make a call back to the server (which hosted the swf), in order to talk to other backend services?

I use Coldfusion and remoting calls from the browser back to my webserver.  From the webserver if I need to get anything internal I use webservices.  Most of the time I dotn need to do this as I have the database on a seperate non web accessable box and all my data can be access from the CF application server.

Basicalyy your outline is what I woudl expect the setup to look like.

Author Comment

ID: 24451280
I'm tracking now!  "Remoting" was the piece I was missing!

Thanks so much for the help!  I'm off to learn some more!

Best Regards,

Author Closing Comment

ID: 31584391
"Remoting" was the missing link for me.  When googling for solutions on "Flex", "Database Access", "Web Services", "Security", etc...  the list of threads typically hovered around topics like cross-domain techniques.  Cross domain access is initiated by the browser, since the SWF is loaded to the clients browser, which wouldn't work in my architecture, where the source of data provision was an internal facing web service.  The browser would never be able to access that web service.  Using remoting, though, I can have the client/browser interacting with a web application (internet facing), and have that web application make calls to the internal web services, since that web application would reside in our corporate DMZ.

Now I just need to go write some code and see if I can get a working POC!

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

First things first - Preparation We need all the part for this install and it's much nicer to have them all on hand when you need them so here's what's required. Download Eclipse 3.5 32 bit (I like the Classic flavour) from here. (http://www.e…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question