Basic Authentication with Flash

Question

This is *** unbelievable! Flash programmers are familiar with the example:

var req:URLRequest = new URLRequest("http://yoursite.com/yourservice.ext");
req.method = URLRequestMethod.POST;
req.data = new URLVariables("name=John+Doe");

var encoder:Base64Encoder = new Base64Encoder();        
encoder.encode("yourusername:yourpassword");

var credsHeader:URLRequestHeader = new URLRequestHeader("Authorization", "Basic " + encoder.toString());
req.requestHeaders.push(credsHeader);

var loader:URLLoader = new URLLoader();
loader.load(req);

OK... great... that realy works. As you can see I manually add a header Authorization for Basic HTTP authentication. BUT... if I change request metod from POST to GET, the header is not generated.

Is there anyone that knows a solution? 1000x thx!

Answer 1

I'm surprised you've even been able to get it to work with a POST request. In December 2007, Flash Player was updated to explicitly disallow the Authorization header. I guess it's possible that they've since re-allowed it. But I'd be surprised by that. Edit: as per @derFunk’s comment, it turns out that in fact the header was subsequently re-allowed, although when sending it to a different domain it has to be explicitly permitted in crossdomain.xml.

Beyond specific issues with the Authorization header, I'm pretty sure that Flash Player will only send custom request headers with a POST request. I'm sorry I don't have a link for that, but at my firm we use Flash Player extensively to work with Restful web services, and we've had to implement all kinds of workarounds to make things work.

Bottom line, Flash Player has awful support for HTTP. In fact, our set of workaround is activated by sending the request header X-Crippled-Client: true, which tells our services to interpret requests, and send responses, in mangled ways. It's a real pain in the butt.

Sorry I can't be more helpful… good luck!

Answer 2

@Flax: yup, I couldn't agree more on flash security with HTTP headers. But there is one more way to do this, but that requires bit of work. Try using Socket instead of URLLoader, because Socket don't have those kind of restrictions. So for HTTP request open a socket to port 80 of the server (http://yoursite.com/). As soon as it is connected to server, send all your http request headers. Then on SocketDataEvent, parse the data and read (or discard) the response headers, and proceed with the data.

Answer 3

So this is super old but it came up while I was searching for a way to use Parse.com with the Flash Player.

I'm baffled that this actually works, but to get Flash to send headers in a GET command, just set it as a POST, but run an override.

req.requestHeaders.push(new URLRequestHeader("X-HTTP-Method-Override", URLRequestMethod.GET));

I tried it thinking that it was crazy and couldn't possibly work, but it does!