You can use the RPC services classes--RemoteObject, HTTPService, and WebService--not only to control access to the data that goes into an MXML page, but also to control the data and actions that flow out of it. You can also use service authentication to allow only certain users to perform certain actions. For example, if you have an application that allows employee data to be modified through a RemoteObject call, use RemoteObject authentication to make sure that only managers can change the employee data.
A service-based architecture makes it easy to implement several different security models for your Flex application. You can use programmatic security to limit access to services, or you can apply declarative security constraints to entire services.
When accessing RPC services with Flex tags such as the
Destinations must be configured entirely in the Flex application; the component must communicate directly with the RPC service.
In addition, you must set the use-proxy compiler option to false when you compile the application.
When use-proxy is false, one of the following must be true:
- The RPC is in the same domain as the Flex application that calls it.
- The RPC's host system has a crossdomain.xml file that explicitly allows access from the Flex application's domain.