1. Secure the primary keys
- Store at least the primary key in Session on the way out from java to flex. When you get the request from flex to java, check to make sure the user has access to the primary key they are trying to change.
2. Secure the foreign keys
-Other classes will probably have your customer.id as a foreign key in their class. Make sure these are secure from tampering as well.
3. Secure your remote methods that flex will be calling
-Use remoting-config.xml to exclude methods that the user should not have access to. One way to this:
<destination id=”customerService”>
<properties>
<source>customerService</source>
</properties>
<exclude-methods>
<method name=”updateCustomer” security-constraint=”admin-users”/>
</exclude-methods>
</destination>
You can read more about this in the BlazeDS dev guide.
4. Secure any other fields that are sensistive and should not be able to be changed by the end user.
references: flexpasta.com
GDS over BlazeDS:
If you are a software provider using Java EE persistent technologies such as Hibernate, you will certainly feel the importance of a framework that takes great care of your lazy fetching strategy. One of the most important features of GDS (and one of the main reasons of its creation) was the possibility to use exact ActionScript3 copies of Hibernate detached objects on the client side, just like if we were in the web layer of a classical Java EE application. This does not seem to be possible at all with BlazeDS, and that means that you cannot just replace GDS with BlazeDS. Additionally, you’ll be able to use Gas3 code generation features which are real time savers.
| Feature |
BlazeDS |
GraniteDS |
WebORB |
LifeCycleDS |
| Data management Services |
| Client-Server synchronization |
- |
+ |
+ |
+ |
| Conflict resolution |
- |
- |
+ |
+ |
| Data paging |
- |
+ |
+ |
+ |
| SQL adapter |
- |
- |
+ |
+ |
| Hibernate adapter |
- |
+ |
+ |
+ |
| Document Services |
| LiveCycle remoting |
- |
- |
+ |
+ |
| RIA-to-PDF conversion |
- |
- |
+(plugin) |
+ |
| Enterprise-Class Flex application services |
| Data access/remoting |
+ |
+ |
+ |
+ |
| Proxy service |
+ |
+ |
+ |
+ |
| Automated testing support |
- |
- |
+(through RIA AppPuncher –coming soon) |
+ |
| Software clustering |
+ |
+ |
+ |
+ |
| Web tier compiler |
- |
+ |
+ |
+ |
| Flex code generation |
- |
+ |
+ |
- |
| Enterprise Integration |
| WSRP generation |
- |
- |
- |
+ |
| Ajax data services |
+ |
- |
+ |
+ |
| Flex-Ajax bridge |
+ |
- |
- |
+ |
| Runtime configuration |
+ |
- |
+ |
+ |
| Open adapter architecture |
+ |
- |
- |
+ |
| JMS adapter |
+ |
+ |
+ |
+ |
| Server-side component framework integration |
+ |
+ |
+ |
+ |
| Stateful services (session scope for Java objects) |
- |
+ |
+ |
? |
| Singleton services (application scope for Java objects) |
- |
+ |
+ |
? |
| Server-to-client method invocation |
- |
- |
+ |
? |
| ColdFusion integration |
- |
- |
+ |
+ |
Service browser
displaying POJOs,
Spring beans, EJBs and
a list of deployed JAR
files |
- |
- |
+ |
- |
| Offline Application Support |
| Offline data cache |
- |
- |
+ |
+ |
| Local message queuing |
- |
- |
+ |
+ |
| Real – Time Data |
| Publish and Subscribe messaging |
+ |
- |
+ |
+ |
| Real -time data quality of service |
- |
+ |
+ |
+ |
| RTMP tunneling |
- |
- |
+ |
+ |
| Frameworks build-in integration |
| Spring |
- |
+ |
+ |
- |
| EJB3 |
- |
+ |
? |
- |
I used the following articles:
http://sujitreddyg.wordpress.com/2008/01/31/blazeds-and-lcds-feature-difference/
http://www.infoq.com/news/2008/02/granite-data-services
http://www.themidnightcoders.com/weborb/java/product_editions.shtm
http://www.graniteds.org/confluence/display/DOC/1.1.+What+is+Granite+Data+Services
http://www.adobe.com/products/livecycle/dataservices/features.html
