Solved

Flex Application Calling Web Services (Behind the Firewall)

Posted on 2009-05-20
8
473 Views
Last Modified: 2012-05-07
Hello all,

I'm a newbie to Flex and am struggling to wrap my arms around security in general, but most of all am trying to understand any limitations I may be facing...

I would like to deploy a Flex application to our corporate DMZ, and would like that application to interact with web services that are protected behind our firewall (can't be accessed from the net, directly).  I am familiar with the crossdomain.xml file required to talk across domains, within Flex, but am not sure if this will enable communication inside the firewall???  

I'm assuming that there is a way to do this, as Flex applications can talk to a database, which I assume are mostly behind corporate firewalls.  I'm working with our network folks now to try and get a proof-of-concept deployed to our DMZ, but thought I would reach out to the experts!

Is what I'm trying to do pretty straight-forward?  Are there best practices for accomplishing what I'm trying to achieve?  

I also have to prepare a justification for deploying Flex in our current environment, and have to speak to how a Flex deployment won't enable a hacker to access systems/data behind our firewall, once the application is deployed and talking to web services inside our network.  Any information that can be shared to put our security folks at ease would be greatly appreciated!

Thanks in advance for any information!

Best Regards,
Todd Peterson
0
Comment
Question by:ToddBPeterson
  • 5
  • 3
8 Comments
 
LVL 19

Expert Comment

by:Jones911
ID: 24433889
If you need to access internal webservices you could allow the IP address of only the Front ( web accessible ) machine to get through the firewall.  Inless you allow access from the webserver to the internal server providing the web service it wont work.  This way you should be protected as only the webserver has direct access to the web services.  And all requests from the flex client are relayed via the webserver.
0
 

Author Comment

by:ToddBPeterson
ID: 24436125
Thanks so much for the response!  I suspected that I might have to allow the web servers IP access to the WS, internally.  I also suspect I'm going to have a tough sell with our network folks to allow that to happen, but if that's my only alternative...

So, it is the web server that would be relaying requests to the web services, on behalf of the Flex client?  I'm struggling with understanding how/what really happens "server side", vs. what and how much gets downloaded to the client.  If everything was downloaded to the client, there would be no way of accessing internal web services from the .swf.  Therefore, it is apparent that there is some server side presence...  Is there any documentation folks have found to be useful in understanding this better?  I have looked at some of the Adobe Live Docs, and have googled to some extent...  I'm hoping someone has some suggestions on good reference material that will explain this, as well as help me address any security concerns with our security folks.

Thanks again, and Best Regards,
Todd
0
 
LVL 19

Expert Comment

by:Jones911
ID: 24436431
Well if you need to access dat from the webservice then this is what is called from the client.  You could set up a proxy on the webserver to relay the ws requests.

But yes if you were able to get all the data embeded into the swf then there woudl be no need to go back to the server but this might be unrealistic in your case it really depends on the needs.

Let take a simple example.  An RSS reader in a flex application

Client requests the felx app from your server, server sends back the swf, swf is now in your browser and requests data from the rss feed ( some other server ).


Server ---------------->  Client <---------------- Some other server with ( RSS or WS)
0
 

Author Comment

by:ToddBPeterson
ID: 24443430
Thanks again!  I sincerely appreciate the feedback!

I'm still struggling with this, and I'm sure it's just me!  ;-)

The notion of the app getting entirely downloaded to the client (swf) is a new paradigm for me.  I get it, but I don't understand the architecture of how one might go about getting data from the server, on an as-needed basis.  With the the application being resident on the client, how does a typical application make a call back to the server (which hosted the swf), in order to talk to other backend services?

The model I'm working with looks more like this...

   Internet               Corporate DMZ                      Corporate Network
                       |                    |                |
Client<---------|------>WebServer<--------------|------>Web Service<----|---->Database
       |                      |                |
                   DMZ                       internal firewall                   internal firewall


If you take, for instance, the classic Scott-Tiger scenario, with the above model in mind, what would the architecture look like for the following scenario?
    1. SWF delivered to the client has a dropdown list of all departments in the company
    2. User selects a specific department and hits submit...  (here's where I start to lose understanding
    of the architecture)
    3. Submission should call the web server, which in turn invokes a getEmployees() web service call
    on an internal web service
    4. getEmployees() web service executes a query on the database and returns the results back to the
    consumer (web server)
    5. Web server delivers the content back to the client (not sure how this works in the Flex/SWF
    framework?)

A basic constraint is that the web service is not exposed to the internet...  It can only be accessed by the web server (which may require IP filtering as earlier suggested).  An assumption is that I would not load all departments and all employees on the client.  I would want to go get the data I needed, as the client interacted with the interface.

Obviously, my first question is how/what goes into this basic architecture?  I already deploy standard web applications today, that participate in this type of framework, where the web server hosts Java and/or .Net applications, that can make web service calls into the network (one caveat is that there is an application server inside the corporate network, which prevents the web server from needing to have ports opened up to talk to the web services).  I'm just unclear how it would be architected in the Flex framework, where the application ultimately resides on the client, once the SWF is downloaded.

My second question is, assuming, with some education, this framework is doable and standard.  I need to understand (so I can communicate) how the solution is secure, as opening ports from the DMZ to the internal network is not often authorized.

Again...  Thanks so much for any and all thoughts and feedback!

Best Regards,
Todd
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:ToddBPeterson
ID: 24443447
My apologies!  The lines in my model didn't come out as I had hoped, in the final submitted comment...  Hopefully the separation of infrastucture components is clear?

Best Regards,
Todd
0
 
LVL 19

Accepted Solution

by:
Jones911 earned 500 total points
ID: 24444132
With the the application being resident on the client, how does a typical application make a call back to the server (which hosted the swf), in order to talk to other backend services?

I use Coldfusion and remoting calls from the browser back to my webserver.  From the webserver if I need to get anything internal I use webservices.  Most of the time I dotn need to do this as I have the database on a seperate non web accessable box and all my data can be access from the CF application server.

Basicalyy your outline is what I woudl expect the setup to look like.
0
 

Author Comment

by:ToddBPeterson
ID: 24451280
I'm tracking now!  "Remoting" was the piece I was missing!

Thanks so much for the help!  I'm off to learn some more!

Best Regards,
Todd
0
 

Author Closing Comment

by:ToddBPeterson
ID: 31584391
"Remoting" was the missing link for me.  When googling for solutions on "Flex", "Database Access", "Web Services", "Security", etc...  the list of threads typically hovered around topics like cross-domain techniques.  Cross domain access is initiated by the browser, since the SWF is loaded to the clients browser, which wouldn't work in my architecture, where the source of data provision was an internal facing web service.  The browser would never be able to access that web service.  Using remoting, though, I can have the client/browser interacting with a web application (internet facing), and have that web application make calls to the internal web services, since that web application would reside in our corporate DMZ.

Now I just need to go write some code and see if I can get a working POC!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Flex Mobile: Way to list my local shared objects? 6 251
AdvancedDataGrid 5 494
Access 2010 simple password issue. 2 321
Actionscript 3 306
First things first - Preparation We need all the part for this install and it's much nicer to have them all on hand when you need them so here's what's required. Download Eclipse 3.5 32 bit (I like the Classic flavour) from here. (http://www.e…
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now