Geek Answers Handbook

Authorized Flash client client to connect to Java server

I am creating a flash-based Facebook game with a Java backend, and I plan to use the RESTful approach to connect two of them (rather than a permanent socket connection). I use the AS3 library to connect the client to Facebook, so where I have the session information. However, how do I allow client connections back to the server? I cannot leave the callback URLs open, as this will allow people to manipulate the game state without playing the game. I need to make sure that calls come from a valid client and through a valid session.

At the moment, users do not have direct access to the server server - all this is processed through the client interface. Can I transfer the Facebook OAuth2 access token to the backend so that the backend can verify its authenticity? Should it be enough to trust the right interface?

I could fulfill a two-way signed OAuth request or just use a simple shared secret, but the keys should be packed using a flash client, which makes it almost useless for this use case.

Someone has to solve this problem, but I can not find it.

+7
source share
2 answers

If you use Java as a backend, I would consider using BlazeDS . This is a great library for working with AMF connections (which are asynchronous, so that they meet your incompatible socket requirements). If you use Spring on the server at all, I highly recommend using Spring-Flex . This adds a bunch of goodies that make it easy to provide AMF services. In addition, it adds hooks to provide β€œeasy” Spring Security integration.

For the oAuth stuff, I would move the oAuth part to the web page instead of the flash client (which, I think, I understand this is what you are doing now). This way you can authenticate the server side web session and secure the page containing .swf. Then, when your user loads .swf into your code (assuming you use Spring security integrated into BlazeDS), you can call cs.authenticated on your cs: mx.messaging.ChannelSet. This will work, but may be more than you want.

0
source

We had a similar problem in one of our projects. As a result, we used the following token transfer method:

1) A fresh client connects to the server and receives a token valid for x time.

2) The client has an intricate part of the code that uses the algorithm to change the token (and this algorithm changes with some frequency in synchronization with the server). The client uses the algorithm to change the token and includes it in the next request to the server.

3) The server knows the source token and algorithm, so now it can check whether the new token is valid from the actual client as well.

4) The cycle continues.

This is not 100% safe, since someone can really spend time and analyze communication and, in the end, understand the template, but you can play so much with the algorithm and change it often enough to make anyone guess about it.

Hope this helps.

PS The application I'm talking about uses this, has been working for the past 5 years and receives ~ 300 thousand unique users per day, and no one has yet broken.

0
source

More articles:


All Articles